TABLE OF CONTENTS BACKGROUND... 1 EXECUTIVE SUMMARY... 3 HEALTH CARE ORGANIZATION Cyber Risk Landscape... 15

Size: px
Start display at page:

Download "TABLE OF CONTENTS BACKGROUND... 1 EXECUTIVE SUMMARY... 3 HEALTH CARE ORGANIZATION 1... 5. Cyber Risk Landscape... 15"

Transcription

1

2 TABLE OF CONTENTS BACKGROUND... 1 EXECUTIVE SUMMARY... 3 HEALTH CARE ORGANIZATION Cyber Risk Landscape... 5 HCO 1 Risk Management Culture... 5 Gvernance... 5 Gvernance Questins... 7 Strategies fr Success... 7 Strategic Plan... 7 Leadership Invlvement in Incident Respnse... 8 HCO 1 Use Case... 9 The Incident... 9 Lessns Learned and Rules f Thumb Cst/Benefit Cnsideratins Use Case Questins Cybersecurity Insurance HEALTH CARE ORGANIZATION Cyber Risk Landscape Lngstanding Challenges Regulatry Regimes and Audits HIPAA HIPAA s Limits Regulatry Regimes and Audits Questins Academic Freedm Asset Management and Sftware Security Slutins HCO 2 Risk Management Culture Gvernance Strategies fr Success Cmpliance Versus Enterprise Risk Management... 24

3 Csts, Benefits, and the Pwer f Cmpliance Csts, Benefits, and Enterprise Appraches Regulatin Reputatinal Risks HCO 2 Use Case The Incident Use Case Implicatins Cybersecurity Insurance HEALTH CARE ORGANIZATION Cyber Risk Landscape HCO 3 Risk Management Culture Gvernance Strategies fr Success ERM Framewrks Catastrphe Planning HCO 3 Use Case The Incident Incident Observatins Use Case Questins Cst/Benefit Cmmunicatins t Leadership Risk Management Radmaps Assessing Csts Assessing Benefits Mnitring Traffic fr Indicatrs and Events Advanced Persistent Threat Respnse Cybersecurity Insurance CONCLUSION APPENDIX... 42

4 BACKGROUND The Department f Hmeland Security s (DHS) Natinal Prtectin and Prgrams Directrate (NPPD) helps bth private and public sectr partners secure their cyber netwrks, assisting them cllectively and individually and imprving the natin s verall cybersecurity psture in the prcess. Thrugh these interactins, DHS has becme aware f a grwing interest in cybersecurity insurance as well as limitatins in the current market especially when it cmes t first-party market cverage fr cyber-related critical infrastructure lss. 1 T better understand thse limitatins and hw a mre rbust market culd help encurage better cyber risk management, NPPD hsted its first-ever Cybersecurity Insurance Wrkshp during the fall f NPPD had tw main gals fr the event: (1) determine what bstacles prevent carriers frm ffering mre attractive first-party plicies t mre custmers at lwer cst; and (2) prmte stakehlder discussin abut hw t mve the market frward. At that event, NPPD hsted a diverse grup f participants, registered n a first-cme, firstserved basis, frm five stakehlder grups that included insurance carriers, risk managers, infrmatin technlgy/cyber experts, academics/scial scientists, and critical infrastructure wners and peratrs. Several federal agencies als sent representatives. As part f its planning, NPPD asked participants t nminate breakut grup tpics in rder t develp the wrkshp agenda and ensure that it addressed matters f critical interest. Participants nminated the fllwing tpics, which fcused specifically n the first-party market: (1) Defining Insurable and Uninsurable Cyber Risks; (2) Cyber Insurance and the Human Element; (3) Cyber Liability: Wh is Respnsible fr What Harm; (4) Current Cyber Risk Management Strategies and Appraches; (5) Cyber Insurance: What Harms Shuld It Cver and What Shuld It Cst; (6) Imprving the Cyber Insurance Market: Stakehlder Rles and Respnsibilities; and (7) Sequencing Slutins: Hw Shuld the Market Mve Frward? On May 13, 2013, NPPD held a rundtable based n what it had learned during the fall wrkshp. The rundtable fcused n hw rganizatins shuld g abut building mre effective cyber risk cultures as a prerequisite t a strnger and mre respnsive first-party market. With representatives frm each f the same stakehlder grups in attendance, NPPD led a discussin abut fur pillars f such cultures: (1) Engaged Executive Leadership; (2) Targeted Cyber Risk Management and Awareness; (3) Cst-Effective Technlgy Investments Tailred t Organizatinal Needs; and (4) Relevant Infrmatin Sharing. Participants described the imprtance f and challenges with implementing the pillars in three distinct but related cntexts: within cmpanies; between partnering cmpanies; and natinally. They likewise ffered their pinins abut hw large, mid-size, and small cmpanies shuld g abut meeting thse challenges given their traditinally disparate levels f expertise and risk management resurces. 1 First-party cybersecurity insurance plicies cver direct lsses t cmpanies arising frm events such as business interruptin, destructin f data and prperty, and reputatinal harm. Third party plicies, by cntrast, cver lsses that a cmpany causes t its custmers and thers, such as harms arising frm the expsure f persnally identifiable infrmatin (PII) thrugh a data breach. See U.S. Department f Hmeland Security. Cybersecurity Insurance Wrkshp Readut Reprt. ONLINE Natinal Prtectin and Prgrams Directrate. Available: [29 January 2014]. 1

5 During bth events, participants shared a wide range f perspectives n these varius tpics, which were included in wrkshp and rundtable readut reprts. The reprts are available n the DHS Cybersecurity Insurance webpage at Building n the ideas surfaced at the wrkshp and rundtable, and after cnducting its wn additinal research, NPPD publicly annunced its intent t cnvene a secnd rundtable in the fall f That event, the subject f this readut reprt, addressed a fundamental yet unanswered questin that had arisen ver the curse f the prir discussins: hw d cst and benefit cnsideratins infrm the identificatin f nt nly an rganizatin s tp cyber risks but als apprpriate risk management investments t address them? On Nvember 20, 2013, NPPD accrdingly hsted a small number f participants, registered n a first-cme, first-served basis, at the Natinal Intellectual Prperty Rights (IPR) Crdinatin Center in Arlingtn, Virginia, t find answers. NPPD adpted a new frmat fr the rundtable that included three cyber risk management use case presentatins by health care rganizatin (HCO) representatives. The representatives described an actual cyber incident that their rganizatins had experienced; hw they managed the incident; and hw lessns learned frm the incident have influenced their actins and investments t imprve patient safety. The presentatins likewise addressed hw the rganizatins are incrprating cst/benefit cnsideratins as part f cyber risk management strategies; hw their individual risk cultures are evlving as a result; and what rle cybersecurity insurance is playing as part f their prcesses. An extended grup discussin perid fllwed each use case presentatin in rder t examine all f these themes in detail and t identify ptential pprtunities t enhance cyber risk management best practices. Prir t the rundtable, NPPD advised the presenters and participants alike that their input during the event wuld be included in this final readut reprt n a nn-attributin basis. NPPD explained that the purpse f this reprt wuld be t: (1) capture diverse ideas abut hw cst/benefit cnsideratins mtivate cyber risk management investments, including insurance investments; and (2) recrd a wide range f perspectives that might infrm cyber risk management effrts natinally. NPPD further advised that it wasn t lking fr, wuldn t accept, and wuldn t slicit grup r cnsensus recmmendatins during the rundtable. NPPD likewise clarified that neither DHS nr NPPD wuld make any decisins abut agency plicy r psitins during the event. In additin t 8 rundtable leaders, rganizers, and supprt persnnel, NPPD hsted 30 participants frm the fllwing stakehlder grups: Insurance Carriers: 7 Risk Managers: 6 Infrmatin Technlgy/Cyber Experts: 6 Academics/Scial Scientists: 3 Critical Infrastructure Owners/Operatrs: 5 Gvernment: 3 2

6 EXECUTIVE SUMMARY The HCO representatives, all f them Chief Infrmatin Security Officers (CISOs) r risk manager equivalents, hailed frm a variety f rganizatins including an academic medical center and research university, a university hspital system, and a medical vendr that prvides health care cnsumer prducts, pharmaceuticals, and medical devices/technlgy. Althugh each presented very different cyber risk management use cases, they shared many f the same challenges while addressing them. They cnsequently directed their remarks t three principal tpics during the rundtable discussins: (1) making the case fr cybersecurity investments t senir leadership; (2) incrprating cst/benefit cnsideratins int their arguments; and (3) negtiating the bundary between risk mitigatin effrts and risk transfer/insurance ptins t prmte mre effective cyber risk management strategies. ENGAGING LEADERSHIP The HCO representatives described tw appraches t driving cybersecurity investments within their respective rganizatins. Several emphasized the value f enterprise risk management (ERM) t their effrts, nting that invlving senir leadership in bth the identificatin and priritizatin f cyber risks has been critical t building trust in and prmting the effectiveness f their teams. They explained hw they create master lists f pririty cyber risks and crrespnding risk cntrls fr leadership review, drawing heavily n their team members subject matter expertise as infrmed by real wrld cyber incidents. After presenting and discussing his team s list, ne representative reprted that his bard f directrs literally draws a line between thse cntrls that will be funded given available resurces and thse cntrls that will nt. This practice, he nted, generates a sense f wnership by the bard that invests it in the success f its chsen appraches. By cntrast, anther representative explained that mre primal factrs mtivate his leadership t spend against cyber risk: namely, fear f substantial regulatry fines and public shaming under the Health Insurance Prtability and Accuntability Act (HIPAA). 2 The representative advised that even thugh HIPAA des nt fcus n malicius hacking r ther activity that desn t directly impact the delivery f patient care, he nevertheless tries t market all his recmmended risk cntrls n HIPAA grunds. Given its rle as primary driver f IT security funding, he bserved, HIPAA currently serves as a necessary albeit imperfect vehicle fr btaining the cybersecurity funds he needs. Despite these disparate appraches, the HCO representatives cncurred that ERM strategies that include cyber risk becme easier t develp, fund, and implement nce senir leaders mature their understanding f the full range f nline dangers their rganizatins face. COSTS AND BENEFITS The HCO representatives likewise advised that when it cmes t cst/benefit cnsideratins, they use an exclusively qualitative apprach when priritizing cyber risks n the ne hand and making the case fr cyber risk management resurces n the ther. They asserted that cyber risk management tday at least in the health care sectr is mre f an art than a science. One representative explained that his senir leadership usually defers t him regarding tp cyber risks s lng as he 2 The Health Insurance Prtability and Accuntability Act f 1996 (Pub.L ; 110 Stat. 1936). 3

7 maintains a keen sense f what s happening n his rganizatin s netwrks, what s likely t happen n them in the future, and where the greatest ptential fr financial and ther lss exists. This trust in his expertise likewise carries ver directly t his prpsed slutin sets. Spreadsheets with quantitative details abut the merits f ne risk cntrl ver anther, he cntinued, cnsequently have little t d with cnvincing crprate leaders t act. Several representatives agreed and reprted that their leadership instead encurages them t ballpark their cybersecurity investment recmmendatins in relatin t the pack. As ne nted, the rule f thumb is t spend nt s much mre than their peers that sharehlders get angry and nt s much less that regulatrs cme kncking. The representatives agreed that getting their rganizatins t actually fund their cybersecurity investment recmmendatins is the hard part. One stated that the best way fr him t sell a particular investment s benefit is t assign wnership fr ptential cyber incident lsses t specific individuals. He explained that nce department heads understand that they re institutinally n the hk fr such lsses, resurce cnversatins abut purchasing and pre-psitining varius risk cntrls suddenly becme much easier. Anther advised that aviding the csts f a HIPAA audit typically is the nly benefit he needs t demnstrate regarding a prpsed mitigatin. In shrt, casting a cyber risk cntrl s benefits in terms f aviding direct financial pain appears t be a highly successful technique. THE ROLE OF INSURANCE The HCO representatives were smewhat ambivalent abut the rle f cybersecurity insurance within their rganizatins cyber risk management strategies. Several reprted that they meet annually with underwriters t prvide updates abut their rganizatin s cyber incidents and believe that data breach cverage in particular is gd t have. While ne appreciated that his emplyer s insurer paid fr an incident respnse firm t help ut during a majr cyber incident, he stated that he saw cybersecurity insurance as a way t address catastrphic situatins nly. He emphasized that he wuld nt welcme insurers dictating hw he r his team shuld mitigate cyber risks in his day-t-day envirnment. While anther representative cncurred that cybersecurity insurance has value because it purprts t cver csts arising frm unavidable data breaches, he was dubius abut the level f reimbursement his rganizatin culd truly expect in the event f a breach. It s never made a claim t test its plicy. The third representative advised, in turn, that his rganizatin has nt yet invested in cybersecurity insurance. In view f his limited cybersecurity resurces, he added, it makes mre sense t spend n risk mitigatin rather than risk transfer ptins. Under these circumstances, the rundtable participants agreed that bth cybersecurity prfessinals and insurers wuld benefit frm a sustained dialgue abut what each cmmunity brings t the cyber risk management table. Several remarked that a gd first tpic f cnversatin wuld be hw they culd wrk tgether t advance the cybersecurity insurance market s ability t cver cyber-related critical infrastructure lss. 4

8 HEALTH CARE ORGANIZATION 1 ORGANIZATION OVERVIEW: The Chief Infrmatin Security Officer (CISO) fr Health Care Organizatin 1 (HCO 1) described HCO 1 as a natinally tp-ranked research university and academic medical center. HCO 1 cmprises several hspitals and hsts influential and smetimes cntrversial faculty and alumni the prfiles f whm, he nted, smetimes make it a cyber target. He stated that HCO 1 is hme t almst 15,000 students; 28,000 faculty and staff; and 500 central infrmatin technlgy (IT) staff. The CISO advised that HCO 1 emplys eight full-time infrmatin security staff. Fur f thse prfessinals wrk n peratinal and tactical infrmatin security issues such as establishing firewalls and prviding hardware and sftware tkens. The remaining fur fcus n mre strategic issues. Tw f thse fur, he added, wrk strictly n IT cmpliance matters. The CISO described his team s budget as small. Apart frm emplyee salaries, he receives less than a millin dllars annually t fund cyber risk management initiatives. USE CASE PRESENTATION AND DISCUSSION: CYBER RISK LANDSCAPE The CISO described HCO 1 as having a high threat envirnment in which his team, n a mnthly basis, quarantines and/r blcks apprximately 450 new bad actrs; 30 millin cmmunicatins attempts t and frm bad actrs; seven millin malicius websites; and 60 millin s. By cntrast, his team supprts the secure delivery f apprximately six millin s. The CISO added that threat actrs that target HCO 1 typically include identity thieves, phishers and spammers, and natin states. The CISO next described the number f cyber incidents that he and his team must respnd t n an annual basis. They include anywhere frm 400 t 500 minr incidents, including unauthrized beacning ut f the HCO 1 netwrk (indicating malware r spyware); 10 t 15 significant incidents such as identity theft schemes that directly engage his team; and ne t five breach ntificatins. One t three f thse breach ntificatins, he added, include reprtable events under HIPAA. The CISO advised that his team rutinely cperates with lcal and federal law enfrcement n such incidents. HCO 1 RISK MANAGEMENT CULTURE GOVERNANCE The CISO stated that he believes that HCO 1 has a healthy risk culture when it cmes t managing its cyber risk envirnment. He explained that HCO 1 has six gvernance bdies that supprt his team s cybersecurity wrk. They include: A Bard f Trustees Audit Cmmittee. The CISO reprted that he meets with the Bard f Trustees Audit Cmmittee nce a year t prvide an verview f the HCO 1 cyber risk landscape; 5

9 The HCO 1 President s Cabinet and the HCO 1 Healthcare CEO. The CISO stated that he meets with these individuals multiple times per year, as necessary; An Enterprise Risk Management Cmmittee. The CISO advised that the Enterprise Risk Management Cmmittee includes bth an Executive Cmmittee and Risk Management Prcess Owners; and A Breach Ntificatin Team. The CISO explained that the Breach Ntificatin Team includes the HCO 1 Chief Infrmatin Officer (CIO), the CISO (himself), the General Cunsel, and the Chief Risk Officer all f whm have respnsibility fr bth the HCO 1 healthcare system and the university as well as the University Privacy Officer, the Healthcare Privacy Officer, the HIPAA Steering Cmmittee (which mnitrs HCO 1 s HIPAA cmpliance), and an IT Steering Cmmittee (which centralizes IT effrts acrss HCO 1). The CISO advised that these gvernance bdies are cmfrtable making hard cyber risk management decisins and accrdingly will take incnvenient mitigatin steps; ntify parties affected by a cyber incident; and accept institutinal risk, when apprpriate. He explained that HCO 1 leadership is guided by a desire t make the right cyber risk management decisins fr impacted individuals within the HCO 1 cmmunity and fr HCO 1 as an institutin, in that rder. The CISO reprted that the gvernance bdies invlved in HCO 1 cyber incident respnse include the Breach Ntificatin Team, the Enterprise Risk Management Executive Cmmittee, and business unit leaders frm business units impacted by cyber incidents. The CISO nted that the Enterprise Risk Management Cmmittee wrked cllabratively t reduce an riginal list f 1,600 pririty risks t 60 risks three f which invlve data breach and/r expsure risks. He advised that his team meets with the Cmmittee several times a year t prvide updates n the state f HCO 1 s cybersecurity risk. He explained that his primary respnsibility, as the cyber risk management prcess wner, is t get the right infrmatin t the Cmmittee in rder t enable effective management f the mst pressing cyber risks. The CISO further explained that after a cyber incident, the Breach Ntificatin Team gathers the relevant facts and generates a ne-t-tw page, high-level risk dcument with recmmendatins n hw it thinks HCO 1 shuld respnd t the incident. The Team then prvides its recmmendatins t the Enterprise Risk Management Cmmittee which, in turn, determines what actins t take. 6

10 GOVERNANCE QUESTIONS An IT prfessinal asked abut the mechanics f the Breach Ntificatin Team prcess. The CISO replied that it usually takes a shrt but significant amunt f time t cnduct a fact-finding effrt in supprt f the ne-t-tw page Breach Ntificatin Team reprt. He added that the prcess frm initial ntificatin f a breach t final decisin by the Enterprise Risk Management Cmmittee can address bth cyber and physical threats. Fr example, HCO 1 maintains its wn plice department t which the Breach Ntificatin Team can prvide trackable leads such as phne calls. The CISO stated that the plice department in turn can issue subpenas, an authrity which it has exercised n his team s behalf in the past. In return, he nted, his team can prvide technical expertise fr law enfrcement tasks such as frensic analysis f infected wrkstatins. A risk manager asked the CISO abut his cmmunicatins strategy fllwing a cyber incident. He respnded that his team puts tgether the first draft f any message in rder t ensure that all the technical and ther facts abut an event are crrect. The team then sends the draft t the HCO 1 press ffice fr final preparatin. The CISO added that he and his staff are very cgnizant f all the dwnstream impacts that might result frm an incident and that that knwledge infrms everything they d. An IT prfessinal then asked whether the CISO has a hlding press statement at the ready whenever cyber incidents ccur. The CISO respnded in the negative. A critical infrastructure representative asked what participatin the CISO has in higher-level discussins fr business decisins. The CISO respnded that althugh neither he nr his team directly participate in discussins abut large and strategic IT purchases, the Chief Infrmatin Officer (CIO) des s participate and is very security minded. The CISO added that if HCO 1 cnsidered such a purchase, the CIO wuld cme t him and ask fr advice and guidance. STRATEGIES FOR SUCCESS The CISO described a tw-prnged strategy fr his team s cyber risk management success that includes btaining leadership apprval fr HCO 1 s Strategic Plan fr Infrmatin Security and invlving leadership in the incident respnse prcess itself. STRATEGIC PLAN Regarding the first prng, the CISO advised that his team wrks t align HCO 1 s Strategic Plan fr Infrmatin Security, which addresses where large infrmatin security initiatives shuld be fcused fr HCO 1 in the cming mnths, with HCO 1 s verall institutinal visin and strategy. As part f that effrt, his team generates a priritized list f infrmatin security risks every mnths. That list includes a crrespnding series f infrmatin security initiatives designed t address thse priritized risks. Each such initiative includes a descriptin f its estimated ne-time and recurring csts; staffing requirements; and the specific risks e.g., 7

11 thse arising ut f Bring Yur Own Device (BYOD) and ther business trends that they re designed t address. 3 The CISO advised that he seeks funding fr the highest pririty initiatives recmmended by his team but has HCO 1 leadership literally draw a line between the infrmatin security initiatives that it will fund and thse which it will nt. The CISO reprted that this decisin prcess highlights t HCO 1 leadership that, in a resurce-cnstrained envirnment, sme threats will nt be addressed. In this way, leadership is frced t explicitly priritize between different types f threats and risks and accrdingly wn its final decisins in a much mre cmplete manner. He stated that HCO 1 executives have accrdingly becme mre and mre invested ver time in the success f the HCO 1 Strategic Plan fr Infrmatin Security. A critical infrastructure representative asked if the CISO smetimes argues in the ppsite directin, attempting t cnvince his leadership nt t fund specific initiatives that may nt ffer a cmparative value. He respnded that his team des nt make such arguments but that the CIO is much mre likely t d s. LEADERSHIP INVOLVEMENT IN INCIDENT RESPONSE Regarding the secnd prng, the CISO reprted that his team prvides regular cybersecurity briefings t HCO 1 s six gvernance bdies a service that has gne a lng way tward building a great relatinship with key leaders and establishing his team s credibility. As a result, he has btained leadership apprval fr nt nly a unified cyber incident/breach respnse prcess but als incident/breach respnse teams t actually implement that prcess. T frtify this prgress, the CISO ensures that HCO 1 leadership has final decisin making respnsibility fr all strategic cyber risk management decisins that impact the incident/breach respnse prcess. The CISO emphasized that his team s effrts have resulted in strng leadership supprt fr a predetermined funding mdel that impses the direct csts f cyber incidents n the HCO 1 business units respnsible fr them. The CISO mentined that he wants thse units t share the pain that their smetimes pr cybersecurity causes t the enterprise. Using an internal billing cde, he accrdingly charges them fr breach ntificatin, investigatin, and mitigatin expenses as they arise and accrue ver time. The CISO nted that this cst wnership plicy is meant t reduce reliance n institutinal risk acrss HCO 1. He stated that this apprach is very effective and that he rarely, if ever, feels that he s being asked t internalize t much risk. 3 Bring Yur Own Device (BYOD) refers t the practice f allwing an rganizatin s emplyees t use their wn cmputers, smartphnes, r ther devices fr wrk purpses. Oxfrd Dictinaries. BYOD. ONLINE. N.D. Available: [7 January 2014]. 8

12 HCO 1 USE CASE THE INCIDENT In the summer f 2013, HCO 1 s netwrk mnitring tls alerted security administratrs that an unexpected system management tl had executed n several systems. The security team investigated the activity and determined that administrative accunts were accessing systems in a manner that suggested that they had been cmprmised by malicius hackers. HCO 1 s initial investigative effrts revealed that at least a partial list f dmain accunts and passwrd hashes had been cmprmised by the malicius hackers and that they had btained the credentials f at least tw dmain administratrs. T assist with frensic analysis and ther security effrts invlved with the incident, HCO 1 engaged the assistance f ne f the natin s leading incident respnse firms. Ding s tk several days because HCO 1 first had t verify that its insurer wuld pay fr the services the csts fr which exceeded insurance plicy limits befre entering int negtiatins with the firm. HCO 1 actively cperated with federal law enfrcement agents during this time. Thrugh its cmbined investigative effrts, HCO 1 was able t determine that apprximately 44 systems within the HCO 1 envirnment were either cmprmised r accessed by the malicius hackers. Other than the afrementined list f user accunts and hashed passwrds, the investigatin did nt find evidence that the malicius hackers had accessed additinal persnally identifiable infrmatin (PII). HCO 1 tk immediate steps t investigate and cntain the intrusin, including the disabling f privileged accunts t which the malicius hackers had access and replacing ptentially cmprmised Active Directry servers. In cnjunctin with HCO 1 s Enterprise Security team, the incident respnse firm perfrmed investigative activities bth nsite and remtely fr just ver five weeks. The incident respnse firm asked HCO 1 nt t remve the malicius hackers immediately in rder t prvide it with sufficient time t figure ut what they were up t n the HCO 1 netwrk. The CISO and his team accrdingly recmmended t HCO 1 s Enterprise Risk Management Cmmittee that they initially make a very limited mitigatin respnse s the firm culd cnduct its requested assessment. The Enterprise Risk Management Cmmittee agreed. After determining the full scpe f systems impacted by the incident, a secnd rund f remediatin activities were identified and planned. In additin t finally remving the malicius hackers frm the envirnment, thse planned activities were designed t imprve HCO 1 s defenses and enhance its mnitring capabilities ver the lng-term. HCO 1 initiated the secnd rund f remediatin activities tw weeks after the incident respnse firm began its nsite activities. At that time, HCO 1 launched an enterprise-wide 9

13 passwrd change; 4 remved any remaining cmprmised systems that had been identified thrugh the nging investigatin; blcked cmmunicatin with knwn malicius hacker netwrk addresses and dmains; and implemented hardening cuntermeasures t make it mre difficult fr malicius hackers t regain access t HCO 1 s internal netwrk and t mve abut within it. Additinally, HCO 1 implemented enhanced mnitring and alerting capabilities t help detect future attacks. HCO 1 currently is wrking n several additinal lng-term effrts t imprve its ability t prevent, detect, and respnd t similar events in the future. LESSONS LEARNED AND RULES OF THUMB The CISO and his team identified seven lessns learned and rules f thumb fllwing the use case incident that cntinue t infrm their strategic cyber risk management planning acrss the HCO 1 enterprise: Carpe Incident! Be prepared t take advantage f funding pprtunities that may arise frm a cyber incident. The CISO stated that very ften during r immediately after a significant cyber incident, leadership will ask questins like, Is there anything we can d t keep this kind f thing frm happening again? D yu need any additinal resurces t help reslve this? Is there any assistance we can prvide? He advised that if cybersecurity prfessinals have security initiatives waiting in the wings slely because f funding r staffing limitatins, they shuld seize this mment t ask fr the additinal resurces they need. In shrt, having a small prtfli f pre-prepared, ready-t-g prject prpsals might just be the thing that will turn a bad situatin int an pprtunity fr imprvement. During extended incident respnse effrts, having all the members f an incident respnse team share the same physical space while ding their wrk is extremely beneficial. The CISO explained that he c-lcated malware analysts and netwrk engineers thrughut the duratin f the incident respnse cycle, an arrangement that led t many efficiencies and synergies in terms f cmmunicatins, crdinatin, and situatinal awareness. These efficiencies and synergies were imprtant, he bserved, because apprximately 500 individuals acrss HCO 1 and assciated rganizatins, including the incident respnse firm, were invlved in the respnse effrt. 4 The CISO stated that many individuals within the HCO 1 cmmunity were likely using their HCO 1 passwrds fr their persnal accunts. HCO 1 didn t want anyne s persnal accunts t be affected by the incident, s it chse t ntify everyne f the need t change the passwrds fr thse accunts. 10

14 The CISO added that he d tell insurance cmpanies that paying fr an utside incident respnse firm t cnduct an n-site, real-time assessment f a cyber incident is mney well spent. He advised that the csts invlved with the use case firm ttaled $300,000. By cmparisn, he cmmented, traditinal ff-site frensic analysis wuld have cst an rder f magnitude mre and wuld have been slwer. Things are seldm as definitive as they may seem during the early stages f an incident, s CISOs shuld nt verstate r understate the facts. The CISO suggested that cybersecurity prfessinals shuld manage the expectatins f their rganizatin s leadership by phrasing their messaging carefully saying, fr example, the incident is fluid, and this is what we believe at this time and then prviding mre detailed and precise updates as mre (and better) infrmatin becmes available. A decisin nt t fund a security initiative is a de fact risk acceptance decisin and needs t be made by smene with the authrity t accept such risks. The CISO nted that mst security incidents dn t result frm cmpletely nvel attack vectrs. On the cntrary, he cntinued, mst f the ptential avenues f cmprmise likely have been anticipated and ptential slutins identified in advance. The CISO added that the real issue is that cybersecurity prfessinals typically can t d everything at nce, s tradeffs must be made based n pririty. When yu re chsing which initiatives t implement yu shuld be ding s because thse slutins are believed t prvide the highest value in terms f risk reductin versus cst/impact t yur rganizatin, he stated. In cntrast, the initiatives yu chse nt t pursue (fr gd reasn) will mean that there are knwn/anticipated risks that will nt be addressed (at all in sme cases) because the initiative is nt undertaken. The CISO added that chsing nt t fund these initiatives means that, intentinally r nt, an rganizatin als chses t accept certain cyber risks as the cst f ding business. He added that such a decisin may be entirely ratinal, but that the peple making it shuld have nt nly sufficient budgetary authrity t d s but als sufficient management authrity t accept the level f anticipated risk that will result. These are jint decisins, he emphasized, that shuld be decided tgether by the same peple at an enterprise-wide level. A system cmprmise is nt the same thing as a data breach. Knwing early that malicius hacker(s) have nt accessed data, the CISO explained, can save incident respnders a lt f time, effrt, and expense. 11

15 Practively instrumenting an IT envirnment is critical t effectively managing a cyber incident. The CISO explained that he and his team had pre-psitined mst f its instrumentatin prir t the use case incident but nly because they hadn t had it in place befre ther previus incidents. Even s, he cntinued, HCO 1 had nt pre-psitined the slutins that the incident respnse firm ultimately prvided slutins that made a huge impact during and after the use case incident. As a result, HCO 1 is nw deplying thse slutins n a permanent basis t assist with future incidents. Vulnerabilities in nn-critical systems can lead t the cmprmise f critical systems. The CISO advised that HCO 1 had multi-factr authenticatin in place fr its critical systems prir t the use case incident. He nted that the vulnerability that the malicius hacker(s) explited, hwever, existed n a nn-critical system that did nt require tw-factr identificatin. Once the malicius hacker(s) gained access t that system, he added, they wrked laterally acrss the entire HCO 1 netwrk. COST/BENEFIT CONSIDERATIONS The CISO explained that HCO 1 s apprach t identifying tp cyber risks and apprpriate cntrls t address them is qualitative and nt quantitative. He explained that a qualitative apprach fcuses his team n the relative pririty and rdinal ranking f cybersecurity initiatives as utlined in the HCO 1 Strategic Plan fr Infrmatin Security that in turn infrm which specific cyber risk management investments t make. T generate that ranking, the CISO added, his team relies heavily n its wn cybersecurity knwledge and expertise. Cybersecurity is an art, he bserved, nt a science. When asked whether he felt pressure t justify his recmmendatins using return n investment (ROI) analyses, the CISO respnded, It wuld dilute ur message t just put numbers n a spreadsheet. Our relatinship with management is based n trust. The CISO explained that when it cmes t cst/benefit cnsideratins, infrmatin security generally carries a big stick acrss the HCO 1 envirnment. That big stick, he cntinued, derives in part frm the rganizatin s nging defense f a class actin lawsuit invlving the lst PII f several thusand peple. The CISO nted that the lawsuit pwerfully drives hme t HCO 1 leadership every day the cst/benefit reality f infrmatin security investment. The CISO advised that he and his team d nt priritize their risk mitigatin effrts in islatin but in direct reference t the leadership-apprved HCO 1 Strategic Plan fr Infrmatin Security. Everything sunds like a gd idea in a vacuum, he bserved, and therefre must be cnsidered in relatin t the strategic plan. Ding s, he cntinued, helps ensure that the team des nt verreact t the threat f the week. The CISO added, We d nt want t try t d everything and fail in everything due t lack f resurces. 12

16 The CISO nted, hwever, that he and team smetimes rank rder their strategic mitigatin effrts alngside nn-mitigatin initiatives f ptential benefit t the rganizatin. Fr example, they might treat inexpensive quick wins as peratinal initiatives wrthy f actin and will fund them accrdingly. Finally, the CISO advised that his team has been able t reduce csts by leveraging prenegtiated cntracts such as the ne with the incident respnse firm retained during the use case incident last summer. When asked by an insurer whether HCO 1 sustained additinal csts beynd retentin csts fr that firm, the CISO reprted that the enterprise had als suffered a lss in prductivity. USE CASE QUESTIONS A critical infrastructure representative asked if HCO 1 had taken frensic images f the described attacks; whether it had been able t determine the identity f the malicius hacker(s); and the extent t which law enfrcement prvided value. The CISO respnded that mst f HCO 1 s systems were running n virtual machines, s his team easily created necessary frensic images, captured memry, and prduced disk images. He added that HCO 1 had flw data fr days n its netwrk as well as netwrk packet capture slutins that retain hurs f netwrk traffic int and ut f the rganizatin at a time. Every time we identified a suspect system, the CISO added, we added it t ur list [fr netwrk packet capture]. He advised, hwever, that neither the incident respnse firm nr law enfrcement had been able t cnfirm the identity f the malicius hacker(s). While wrk cntinues in this area, he explained, the malicius hacker(s) did nt appear t match ther knwn actrs. The CISO bserved, mrever, that infrmatin sharing with federal law enfrcement during the incident had prven t be a largely ne-way affair, althugh his federal partners during their investigatin had been able t identify fur r five additinal bad guy systems that had been cmmunicating with HCO 1 servers. A risk manager asked whether the CISO believed that HCO 1 has a trusted netwrk with ther universities. The CISO respnded affirmatively and advised that HCO 1 is invlved with the Research and Educatin Netwrking Infrmatin Sharing Analysis Center (REN-ISAC). He added that during the use case incident, HCO 1 reached ut t similarly-situated health care rganizatins thrugh the REN-ISAC wh were als experiencing attacks. The CISO asserted that the natin needs an ISAC f ISACs s rganizatins frm multiple sectrs can share cyber risk and cyber incident infrmatin in real time. An insurer asked what kinds f interactins HCO 1 had r is having with regulatrs in the wake f the use case incident. The CISO respnded that the Department f Educatin asked specific, high-level questins f HCO 1 and that he and his team had prvided backgrund abut the incident. He advised that althugh user IDs and passwrds appeared t have been expsed during the event, there have been n indicatins that ther PII was cmprmised. 13

17 An IT prfessinal asked hw lng it tk t get the incident respnse firm n site. The CISO respnded that a cntract was signed within several days; gear was shipped and installed a few days after that; and that the firm nce it arrived tk 17 days t figure ut what was ging n. The CISO and his team were very pleased with the firm s perfrmance and, as previusly nted, plan t maintain their business relatinship. A secnd IT prfessinal asked if HCO 1 was happy with its insurer s supprt during the incident. The CISO respnded affirmatively, nting that HCO 1 had paid the required deductible and that the carrier cvered all the csts beynd that amunt. He added that the carrier had helped HCO 1 get better prices fr services in sme cases typically frm apprved vendrs and that requiring the use f apprved vendrs was a reasnable demand frm his perspective. CYBERSECURITY INSURANCE The CISO advised that HCO 1 has maintained cybersecurity insurance since 2008 and that he cnsiders it t be the cyber equivalent t a catastrphic health plan in shrt, it prvides limited cverage with a large deductible. In respnse t a questin frm a risk manager, he advised that he s fairly islated frm the financial side f insurance and that his nly interactin with the insurer in that respect is t answer their annual [infrmatin security] questinnaire. While the CISO stated that HCO 1 s risk transfer needs are being met by its existing plicies especially when it came t getting the incident respnse firm n-site quickly he identified several gaps that he d like t see the brader cybersecurity insurance market fill: Identity theft insurance fr breach ntificatin recipients, s individuals wh experience fraud and related lsses as a result f a breach can be made whle; Eliminatin f exceptins fr widespread incidents such as Internet wrms and viruses; and Cverage that applies t HCO 1 data regardless f where it lives fr example, beynd HCO 1 s netwrk t BYOD devices and Clud/SaaS Services. The CISO added that he wuld nt welcme additinal cybersecurity regulatins being impsed by HCO 1 s insurer thrugh the insurance cntract. 14

18 HEALTH CARE ORGANIZATION 2 ORGANIZATION OVERVIEW: The Chief Infrmatin Security Officer (CISO) fr Health Care Organizatin 2 (HCO 2) described HCO 2 as an enterprise that includes six majr hspitals, ver 100 clinics, and a university system that includes a medical cmmunity f almst 60,000 members. It serves millins f patients. Given HCO 2 s size, he explained, he desn t have t lk hard fr examples f cyber incidents that ccur within it. The CISO stated that HCO 2 s netwrk security team emplys apprximately 30 full time equivalent (FTE) emplyees. He advised that apprximately 15 f thse FTEs are applicatin security specialists, meaning that they set up rules dictating user access t systems. He added that apprximately seven ther FTEs wrk directly n netwrk security issues while anther seven fcus n acquisitins r buying security. The CISO cmmented that his team currently lacks risk management experts and data cps. Finding and hiring specialists in these areas is difficult, he explained, because they have inherently tugh and thankless jbs. The CISO advised that he s made the case t HCO 2 leadership that the same persn shuld nt be respnsible fr all netwrk security needs. He cmmented that the cybersecurity field is very specialized and that the persn handling laptp encryptin, fr example, shuld nt als be wrking n netwrk security. As the cyber threat cntinues t escalate, he added, the need fr specialized cybersecurity prfessinals will increase accrdingly. USE CASE PRESENTATION AND DISCUSSION: CYBER RISK LANDSCAPE The CISO described the HCO 2 cyber risk landscape, and the cyber risk landscape fr health care rganizatins generally, thrugh the prism f electrnic health recrds (EHRs) and the increasing number f security issues invlving them. LONGSTANDING CHALLENGES The CISO bserved that mst dctrs still use paper medical recrds despite the fact that health care prviders have been talking abut implementing EHRs since the 1960s. He nted that the transitin t EHRs has been slw fr tw main reasns. First, system designers ften dn t put the needs f end users i.e., the dctrs first. Instead, they develp underlying infrastructure t supprt the creatin, transfer, and strage f EHRs befre they build ut end user applicatins. The CISO cmmented that strict usability requirements f the medical prfessin create a high perfrmance bar fr the technlgy that must be satisfied befre dctrs will adpt it. Fr example, he explained, dctrs examining patients can t wait minutes at a time fr EHRs t lad nt handheld devices. In additin t cutting int the dctr s efficiency and, cnsequently, his r her prfit margin inadequate technlgy (i.e., the end user applicatin) and/r the perceptin theref erdes patient cnfidence. 15

19 Secnd, EHR statutry and/r regulatry requirements themselves impse significant technical challenges that must be successfully addressed. The CISO described the tw primary cmpnents f medical recrd exchange in mst practices: Dcumentatin, the s-called easy part, such as when a dctr prescribes a medicine fr a patient; and Order entry, the s-called harder part, when an rder fr medicine r a test is actually placed based n a dctr s diagnsis and recmmendatin. The CISO emphasized that the Health Infrmatin Technlgy fr Ecnmic and Clinical Health (HITECH) Act, 5 by requiring dctrs t use electrnic rder entry by 2015, 6 has inserted medical IT int the center r medical practice itself. The imprtance f this new requirement, he cmmented, can t be verstated. The CISO added that getting electrnic rder entry wrng culd cause a dctr s life t g frm bad t intlerably bad. Specifically, he stated that sme technlgies already slw dwn trust delegatin data prcesses used by dctrs tday. In view f the fast appraching 2015 deadline, he added, sme dctrs fear that faulty r underperfrming rder entry technlgy culd cmprmise their already brittle medical recrd exchange systems. The CISO bserved that dctrs further wrry that the new mandate will require them t d mre wrk, slw them dwn, and ultimately reduce their prductivity by cutting the ttal number f patients they can see n a daily basis. Given the already lw reimbursement rates f Medicare and ther prgrams, he cncluded, this culd result in severe risk t a health care rganizatin s already lw prfit margins. 5 The HITECH Act, enacted in Title XIII f the American Recvery and Reinvestment Act f 2009 (Pub.L ), set as a critical natinal gal the meaningful use f interperable EHR. Wikipedia. Health Infrmatin Technlgy fr Ecnmic and Clinical Health Act. ONLINE. N.D. Available: [23 January 2014]. The term meaningful use means that health care prviders use certified EHR technlgy in ways that can be measured significantly in quality and quantity. U.S. Department f Health and Human Services. ONLINE. N.D. Available: [24 January 2014]. Under the HITECH Act, health care prviders that achieved meaningful use by 2011 became eligible fr incentive payments. Meaningful Use. ONLINE. N.D. Available: [8 January 2014]. Thse wh fail t d s by 2015 may be penalized. Id. Stage 1 meaningful use criteria set the baseline fr electrnic data capture and infrmatin sharing, while Stage 2 and Stage 3 expected t be implemented in 2015 will cntinue t expand n that baseline. Id. 6 Electrnic rder entry, als knwn as Cmputerized Physician Order Entry (CPOE), refers t a prcess f electrnic entry f medical practitiner instructins fr the treatment f patients (particularly hspitalized patients) under a physician s care. Wikipedia. Cmputerized Physician Order Entry. ONLINE. N.D. Available: [8 January 2014]. These rders are cmmunicated ver a cmputer netwrk t the medical staff r t the departments (pharmacy, labratry, r radilgy) respnsible fr fulfilling the rder. Id. CPOE is intended t decrease delay in rder cmpletin, reduce errrs related t handwriting r transcriptin, allw rder entry at the pint f care r ff-site, prvide errrchecking fr duplicate r incrrect dses r tests, and simplify inventry and psting f charges. Id. 16

20 When anther IT prfessinal respnded that sme f the challenges with adpting electrnic rder entry may arise frm the preferences f individual dctrs rather than frm underlying sectr dynamics, i.e., peple prblems versus prcess prblems, the CISO disagreed. He stated that medical IT applicatins have always slwed dctrs dwn, but that they typically cmplete nly the dcumentatin prtin f the medical recrd exchange prcess leaving rder entry t ther staff such as nurses, pharmacists, and ther licensed prfessinals. Regardless f the technical preference f dctrs, he added, the requirement that they nw play a bigger rle in the rder entry prcess itself impses a significant burden. The CISO cncluded that dctrs typically aren t technphbes but literally can t affrd t be slwed dwn by anything at the patient pint f care. The CISO remarked that the EHR slutins industry is cmparatively immature, likening it t the maturity f enterprise resurce planning (ERP) slutins in the 1980s and 1990s. 7 While massive changes in the EHR slutins industry are underway, he cntinued, btaining the right slutins still can be very hard. He nted that integrating and btaining required levels f interperability amng systems, based n existing Health Level Seven Internatinal (HL7) and ther standards, present even mre cmplex challenges that will require patience and tlerance by all relevant stakehlders as the health care sectr evlves in the years ahead. The CISO then cited the verwhelming need fr health care rganizatins t cmmunicate bth internally amng their varius business units and externally with ther rganizatins in rder t serve their patients. In view f the cmplex crdinatin this requires, he bserved, it s nt surprising that their medical recrd exchange systems are brittle. Securing brittle systems is very difficult, he added, and impsing new layers f security n them nly cntributes t their brittleness. The CISO cncluded that fr these reasns, health care rganizatins generally are nt predispsed t supprting majr cybersecurity investments. REGULATORY REGIMES AND AUDITS HIPAA Despite these challenges, the CISO explained that cyber incidents nevertheless are very much n the radar f mst health care rganizatins given the main regulatry structure against which they must perfrm: HIPAA. Althugh he described HIPAA as a law that s difficult t decipher, he stated that health care rganizatins pay very clse attentin t the results f HIPAA audits in rder t understand hw the Department f Health and Human Services (HHS) assesses and evaluates cybersecurity best practices. The CISO disclsed that HHS recently subjected HCO 2 t 7 Enterprise resurce planning (ERP) sftware refers t business prcess management sftware that allws an rganizatin t use a system f integrated applicatins t manage its business and autmate back ffice functins. Webpedia. ERP Enterprise Resurce Planning. ONLINE. N.D. Available: [14 January 2014]. ERP sftware integrates all facets f an rganizatin s peratin, including prduct planning, develpment, manufacturing prcesses, sales and marketing. Id. 17

Key Steps for Organizations in Responding to Privacy Breaches

Key Steps for Organizations in Responding to Privacy Breaches Key Steps fr Organizatins in Respnding t Privacy Breaches Purpse The purpse f this dcument is t prvide guidance t private sectr rganizatins, bth small and large, when a privacy breach ccurs. Organizatins

More information

Change Management Process

Change Management Process Change Management Prcess B1.10 Change Management Prcess 1. Intrductin This plicy utlines [Yur Cmpany] s apprach t managing change within the rganisatin. All changes in strategy, activities and prcesses

More information

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT Plicy Number: 2.20 1. Authrity Lcal Gvernment Act 2009 Lcal Gvernment Regulatin 2012 AS/NZS ISO 31000-2009 Risk Management Principles

More information

Data Protection Act Data security breach management

Data Protection Act Data security breach management Data Prtectin Act Data security breach management The seventh data prtectin principle requires that rganisatins prcessing persnal data take apprpriate measures against unauthrised r unlawful prcessing

More information

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Statement of Thomas F. O Brien. Vice President & Chief Information Officer

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Statement of Thomas F. O Brien. Vice President & Chief Information Officer UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Revised Critical Infrastructure Prtectin Reliability Standards Dcket N. RM15-14-000 Statement f Thmas F. O Brien Vice President & Chief Infrmatin

More information

Internal Audit Charter and operating standards

Internal Audit Charter and operating standards Internal Audit Charter and perating standards 2 1 verview This dcument sets ut the basis fr internal audit: (i) the Internal Audit charter, which establishes the framewrk fr Internal Audit; and (ii) hw

More information

CMS Eligibility Requirements Checklist for MSSP ACO Participation

CMS Eligibility Requirements Checklist for MSSP ACO Participation ATTACHMENT 1 CMS Eligibility Requirements Checklist fr MSSP ACO Participatin 1. General Eligibility Requirements ACO participants wrk tgether t manage and crdinate care fr Medicare fee-fr-service beneficiaries.

More information

Personal Data Security Breach Management Policy

Personal Data Security Breach Management Policy Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner

More information

Corporate Standards for data quality and the collation of data for external presentation

Corporate Standards for data quality and the collation of data for external presentation The University f Kent Crprate Standards fr data quality and the cllatin f data fr external presentatin This paper intrduces a set f standards with the aim f safeguarding the University s psitin in published

More information

Job Profile Data & Reporting Analyst (Grant Fund)

Job Profile Data & Reporting Analyst (Grant Fund) Jb Prfile Data & Reprting Analyst (Grant Fund) Directrate Lcatin Reprts t Hurs Finance Slihull Finance Directr Nminally 37 hurs but peratinally available at all times t meet Cmpany requirements Cntract

More information

FINANCIAL SERVICES FLASH REPORT

FINANCIAL SERVICES FLASH REPORT FINANCIAL SERVICES FLASH REPORT Draft Regulatry Cmpliance Management Guideline Released by the Office f the Superintendent f Financial Institutins May 5, 2014 On April 30, 2014, the Office f the Superintendent

More information

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Versin: Mdified By: Date: Apprved By: Date: 1.0 Michael Hawkins Octber 29, 2013 Dan Bwden Nvember 2013 Rule 4-004J Payment Card Industry (PCI) Patch Management (prpsed) 01.1 Purpse The purpse f the Patch

More information

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER This Audit Cmmittee Charter has been amended as f July 17, 2015. The Audit Cmmittee shall review and reassess this Charter annually and recmmend

More information

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

Succession Planning & Leadership Development: Your Utility s Bridge to the Future Successin Planning & Leadership Develpment: Yur Utility s Bridge t the Future Richard L. Gerstberger, P.E. TAP Resurce Develpment Grup, Inc. 4625 West 32 nd Ave Denver, CO 80212 ABSTRACT A few years ag,

More information

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Department f Health and Human Services OFFICE OF INSPECTOR GENERAL PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK Inquiries abut this reprt may be addressed t the Office f Public Affairs

More information

Process for Responding to Privacy Breaches

Process for Responding to Privacy Breaches Prcess fr Respnding t Privacy Breaches 1. Purpse 1.1 This dcument sets ut the steps that ministries must fllw when respnding t a privacy breach. It must be read in cnjunctin with the Infrmatin Incident

More information

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012 Research Reprt Abstract: The Emerging Intersectin Between Big Data and Security Analytics By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm Nvember 2012 2012 by The Enterprise Strategy Grup, Inc.

More information

(DRAFT) WISHIN DIRECT MARKETING PLAN Prepared by Kim Johnston June, 2011

(DRAFT) WISHIN DIRECT MARKETING PLAN Prepared by Kim Johnston June, 2011 Prepared by Kim Jhnstn Purpse Prvide a review f the market Give an verview f the market segments fr WISHIN Direct Outline the marketing and cmmunicatin activities fr WISHIN Direct Identify the cmmunicatin

More information

HIPAA HITECH ACT Compliance, Review and Training Services

HIPAA HITECH ACT Compliance, Review and Training Services Cmpliance, Review and Training Services Risk Assessment and Risk Mitigatin: The first and mst imprtant step is t undertake a hlistic risk assessment that examines the risks and cntrls related t fur critical

More information

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days

ITIL Service Offerings & Agreement (SOA) Certification Program - 5 Days ITIL Service Offerings & Agreement (SOA) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management

More information

Gravesham Borough Council

Gravesham Borough Council Classificatin: Part 1 Public Key Decisin: Please specify - N Gravesham Brugh Cuncil Reprt t: Perfrmance and Administratin Cmmittee Date: 12 Nvember 2015 Reprting fficer: Subject: Crprate Perfrmance Manager

More information

Professional Leaders/Specialists

Professional Leaders/Specialists Psitin Prfile Psitin Lcatin Reprting t Jb family Band BI/Infrmatin Manager Wellingtn Prfessinal Leaders/Specialists Band I Date February 2013 1. POSITION PURPOSE The purpse f this psitin is t: Lead and

More information

IN-HOUSE OR OUTSOURCED BILLING

IN-HOUSE OR OUTSOURCED BILLING IN-HOUSE OR OUTSOURCED BILLING Medical billing is ne f the mst cmplicated aspects f running a medical practice. With thusands f pssible cdes fr diagnses and prcedures, and multiple payers, the ability

More information

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S Service Level Agreement (SLA) Hsted Prducts Netp Business Slutins A/S Cntents 1 Service Level Agreement... 3 2 Supprt Services... 3 3 Incident Management... 3 3.1 Requesting service r submitting incidents...

More information

FINANCE SCRUTINY SUB-COMMITTEE

FINANCE SCRUTINY SUB-COMMITTEE REPORT FOR: PERFORMANCE AND FINANCE SCRUTINY SUB-COMMITTEE Date f Meeting: 6 January 2015 Subject: Staff Survey and Sickness Absence Mnitring Results and Actin plans Respnsible Officer: Scrutiny Lead Member

More information

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply Sectin 1 General Infrmatin RFR Number: (Reference BPO Number) Functinal Area (Enter One Only) F50B3400026 7 Infrmatin System Security Labr Categry A single supprt resurce may be engaged fr a perid nt t

More information

Audit Committee Charter

Audit Committee Charter Audit Cmmittee Charter Membership The Audit Cmmittee (the "Cmmittee") f the Bard f Directrs (the "Bard") f Philip Mrris Internatinal Inc. (the "Cmpany") shall cnsist f at least three directrs all f whm

More information

CONTENTS UNDERSTANDING PPACA. Implications of PPACA Relative to Student Athletes. Institution Level Discussion/Decisions.

CONTENTS UNDERSTANDING PPACA. Implications of PPACA Relative to Student Athletes. Institution Level Discussion/Decisions. This dcument is intended t prvide NCAA member institutins with an infrmatinal guide regarding the ptential implicatins f the Patient Prtectin and Affrdable Care Act f 2010 (PPACA) when fully implemented

More information

Creating an Ethical Culture and Protecting Your Bottom Line:

Creating an Ethical Culture and Protecting Your Bottom Line: Creating an Ethical Culture and Prtecting Yur Bttm Line: Best Practices fr Crprate Cdes f Cnduct Nte: The infrmatin belw and all infrmatin n this website is nt meant t be taken as legal advice. Please

More information

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013 Research Reprt Abstract: Advanced Malware Detectin and Prtectin Trends By Jn Oltsik, Senir Principal Analyst With Jennifer Gahm, Senir Prject Manager September 2013 2013 by The Enterprise Strategy Grup,

More information

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES REFERENCES AND RELATED POLICIES A. UC PPSM 2 -Definitin f Terms B. UC PPSM 12 -Nndiscriminatin in Emplyment C. UC PPSM 14 -Affirmative

More information

Better Practice Guide Financial Considerations for Government use of Cloud Computing

Better Practice Guide Financial Considerations for Government use of Cloud Computing Better Practice Guide Financial Cnsideratins fr Gvernment use f Clud Cmputing Nvember 2011 Intrductin Many Australian Gvernment agencies are in the prcess f cnsidering the adptin f clud-based slutins.

More information

Public consultation paper

Public consultation paper Public cnsultatin paper Nvember 2012 Public cnsultatin n guidelines fr prfessinal indemnity insurance arrangements fr nurses and nurse practitiners. Please prvide feedback by email t: nmbafeedback@ahpra.gv.au

More information

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN Gvernment f Newfundland and Labradr Office f the Chief Infrmatin Officer Infrmatin Management Branch GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN Guideline (Definitin): OCIO Guidelines derive frm

More information

Aim The aim of a communication plan states the overall goal of the communication effort.

Aim The aim of a communication plan states the overall goal of the communication effort. Develping a Cmmunicatin Plan- Aim Aim The aim f a cmmunicatin plan states the verall gal f the cmmunicatin effrt. Determining the Aim Ask yurself r yur team what the verall gal f the cmmunicatin plan is.

More information

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions 724-942-1337 HIPAA Cmpliance 101 Imprtant Terms Cvered Entities (CAs) The HIPAA Privacy Rule refers t three specific grups as cvered entities, including health plans, healthcare clearinghuses, and health care prviders

More information

Sources of Federal Government and Employee Information

Sources of Federal Government and Employee Information Inf Surce Surces f Federal Gvernment and Emplyee Infrmatin Ridley Terminals Inc. TABLE OF CONTENTS General Infrmatin Intrductin t Inf Surce Backgrund Respnsibilities Institutinal Functins, Prgram and Activities

More information

Major capital investment in councils. Good practice checklist for project managers

Major capital investment in councils. Good practice checklist for project managers Majr capital investment in cuncils checklist fr prject managers Prepared by Audit Sctland March 2013 b The Accunts Cmmissin The Accunts Cmmissin is a statutry, independent bdy which, thrugh the audit prcess,

More information

Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

Communicating Deficiencies in Internal Control to Those Charged with Governance and Management Internatinal Auditing and Assurance Standards Bard ISA 265 April 2009 Internatinal Standard n Auditing Cmmunicating Deficiencies in Internal Cntrl t Thse Charged with Gvernance and Management Internatinal

More information

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Audit Manual Sectin J SECTION J QUALITY ASSURANCE AND IMPROVEMENT PROGRAM Ref. Plicy and Practice Requirements IIA Standards and Other references J 1 Plicy: The Head f Internal Audit shall develp and maintain

More information

Internet and E-Mail Policy User s Guide

Internet and E-Mail Policy User s Guide Internet and E-Mail Plicy User s Guide Versin 2.2 supprting partnership in mental health Internet and E-Mail Plicy User s Guide Ver. 2.2-1/5 Intrductin Health and Scial Care requires a great deal f cmmunicatin

More information

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM 1. Prgram Adptin The City University f New Yrk (the "University") develped this Identity Theft Preventin Prgram (the "Prgram") pursuant

More information

The Allstate Foundation Domestic Violence Program 2015 Moving Ahead Financial Empowerment Grant

The Allstate Foundation Domestic Violence Program 2015 Moving Ahead Financial Empowerment Grant The Allstate Fundatin Dmestic Vilence Prgram 2015 Mving Ahead Financial Empwerment Grant Due Date: September 1, 2015 Online applicatin: https://www.grantrequest.cm/sid_1010?sa=sna&fid=35296 The Allstate

More information

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012 Research Reprt Abstract: Security Management and Operatins: Changes n the Hrizn By Jn Oltsik, Senir Principal Analyst With Kristine Ka and Jennifer Gahm July 2012 2012, The Enterprise Strategy Grup, Inc.

More information

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview

Security Services. Service Description Version 1.00. Effective Date: 07/01/2012. Purpose. Overview Security Services Service Descriptin Versin 1.00 Effective Date: 07/01/2012 Purpse This Enterprise Service Descriptin is applicable t Security Services ffered by the MN.IT Services and described in the

More information

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit AuditNet Survey f Bring yur wn Device (BYOD) - Cntrl, Risk and Audit The pace f technlgy mves much faster than managers and auditrs can understand and react, with updated plicies, prcedures and cntrls.

More information

Environment Protection Authority

Environment Protection Authority Envirnment Prtectin Authrity EPA Cmplaints Management Plicy Intrductin This plicy sets ut the purpse, principles and prcess fr hw custmer feedback, including cmplaints, will be managed in the EPA t imprve

More information

Process Improvement Center of Excellence Service Proposal Recommendation. Operational Oversight Committee Report Submission

Process Improvement Center of Excellence Service Proposal Recommendation. Operational Oversight Committee Report Submission Prcess Imprvement Center f Excellence Service Prpsal Recmmendatin Operatinal Oversight Cmmittee Reprt Submissin INTRODUCTION This Prpsal prvides initial infrmatin regarding a pssible additin t a service.

More information

Data Protection Policy & Procedure

Data Protection Policy & Procedure Data Prtectin Plicy & Prcedure Page 1 Prcnnect Marketing Data Prtectin Plicy V1.2 Data prtectin plicy Cntext and verview Key details Plicy prepared by: Adam Haycck Apprved by bard / management n: 01/01/2015

More information

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY ENTERPRISE RISK MANAGEMENT POLICY Plicy N. 10014 Review Date Octber 1, 2014 Effective Date March 1, 2014 Crss- Respnsibility Vice President, Reference Administratin Apprver Executive Cuncil 1. 1. Plicy

More information

How to Address Key Selection Criteria

How to Address Key Selection Criteria Hw t Address Key Selectin Criteria Yu've seen an jb pprtunity that yu're interested in, n a jbs bard r in the press and want t apply, but where d yu start? A key requirement fr jbs in Gvernment is t respnd

More information

National Australia Bank Limited Group Disclosure & External Communications Policy

National Australia Bank Limited Group Disclosure & External Communications Policy Natinal Australia Bank Limited Grup Disclsure & External Cmmunicatins Plicy Grup Disclsure & External Cmmunicatins Plicy Page 2 f 7 Grup Disclsure & External Cmmunicatins Plicy ( the Plicy ) 1. Overview

More information

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN 2013-2016

MANITOBA SECURITIES COMMISSION STRATEGIC PLAN 2013-2016 MANITOBA SECURITIES COMMISSION STRATEGIC PLAN 2013-2016 The Manitba Securities Cmmissin (the Cmmissin) is a divisin f the Manitba Financial Services Agency (MFSA). The ther divisin is the Financial Institutins

More information

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Audit Cmmittee Charter St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd Versin 2.0, 22 February 2016 Apprver Bard f Directrs St Andrew

More information

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1 Imprved Data Center Pwer Cnsumptin and Streamlining Management in Windws Server 2008 R2 with SP1 Disclaimer The infrmatin cntained in this dcument represents the current view f Micrsft Crpratin n the issues

More information

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future The Imprtance Advanced Data Cllectin System Maintenance Berry Drijsen Glbal Service Business Manager WHITE PAPER knwledge t shape yur future The Imprtance Advanced Data Cllectin System Maintenance Cntents

More information

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

ITIL Release Control & Validation (RCV) Certification Program - 5 Days ITIL Release Cntrl & Validatin (RCV) Certificatin Prgram - 5 Days Prgram Overview ITIL is a set f best practices guidance that has becme a wrldwide-adpted framewrk fr Infrmatin Technlgy Services Management

More information

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy COPIES-F.Y.I., INC. Plicies and Prcedures Data Security Plicy Page 2 f 7 Preamble Mst f Cpies FYI, Incrprated financial, administrative, research, and clinical systems are accessible thrugh the campus

More information

Mobile Workforce. Improving Productivity, Improving Profitability

Mobile Workforce. Improving Productivity, Improving Profitability Mbile Wrkfrce Imprving Prductivity, Imprving Prfitability White Paper The Business Challenge Between increasing peratinal cst, staff turnver, budget cnstraints and pressure t deliver prducts and services

More information

The chief executive officer and the chief finance officer are ex-officio members of the board.

The chief executive officer and the chief finance officer are ex-officio members of the board. DATATEC LIMITED BOARD CHARTER / TERMS OF REFERENCE 1. CONSTITUTION The primary bjective f the Cmpany s Bard Charter is t set ut the rle and respnsibilities f the Bard f Directrs ( the Bard ) as well as

More information

Delaware Performance Appraisal System

Delaware Performance Appraisal System Delaware Perfrmance Appraisal System Building greater skills and knwledge fr educatrs DPAS-II Guide fr Administratrs (District Administratrs) Supervisr Rubric fr Evaluating District Administratrs Updated

More information

Mobile Telecom Expense Management

Mobile Telecom Expense Management Mbile Telecm Expense Management Quick Start Mbile Telecm Expense Management Intrductin The BT Mbile Telecm Expense Management Quick Start Service is part BT Managed Mbility Expenses* BT s suite f telecm

More information

Watlington and Chalgrove GP Practice - Patient Satisfaction Survey 2011

Watlington and Chalgrove GP Practice - Patient Satisfaction Survey 2011 Watlingtn and Chalgrve GP - Patient Satisfactin Survey 2011 Backgrund During ne week in Nvember last year patients attending either the Chalgrve r the Watlingtn surgeries were asked t cmplete a survey

More information

Chief Finance and Operations Officer IfM Education and Consultancy Services (IfM ECS)

Chief Finance and Operations Officer IfM Education and Consultancy Services (IfM ECS) Chief Finance and Operatins Officer IfM Educatin and Cnsultancy Services (IfM ECS) Rle Summary IfM ECS disseminates the research and educatin utputs f the University f Cambridge Institute fr Manufacturing

More information

Sample Role Description Immunization Information System (IIS) Testing Analyst

Sample Role Description Immunization Information System (IIS) Testing Analyst Sample Rle Descriptin Immunizatin Infrmatin System (IIS) Testing Analyst Nte: This rle descriptin is meant t ffer sample language and a cmprehensive list f ptential desired respnsibilities with crrespnding

More information

WHITE PAPER. Vendor Managed Inventory (VMI) is Not Just for A Items

WHITE PAPER. Vendor Managed Inventory (VMI) is Not Just for A Items WHITE PAPER Vendr Managed Inventry (VMI) is Nt Just fr A Items Why it s Critical fr Plumbing Manufacturers t als Manage Whlesalers B & C Items Executive Summary Prven Results fr VMI-managed SKUs*: Stck-uts

More information

Business Plan 2014-15

Business Plan 2014-15 Cmmissin fr Lcal Administratin in England Business Plan 2014-15 All Business Plan activity is linked t ur fur Strategic Objectives LGO Business Plan 2014-2015 v web 3 Page 1 descriptin 1. Prvide a cmplaints

More information

The Cost Benefits of the Cloud are More About Real Estate Than IT

The Cost Benefits of the Cloud are More About Real Estate Than IT y The Cst Benefits f the Clud are Mre Abut Real Estate Than IT #$#%&'()*( An Osterman Research Executive Brief Published December 2010 "#$#%&'()*( Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn

More information

Virtual Meetings and Virtual Teams Using Technology to Work Smarter

Virtual Meetings and Virtual Teams Using Technology to Work Smarter http://www.psu.edu/president/pia/innvatin/ INNOVATION INSIGHT SERIES NUMBER 9 Virtual Meetings and Virtual Teams Using Technlgy t Wrk Smarter Yu need t have a meeting. Sme f the peple yu d like t include

More information

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd. Cmmittee: Date(s): Infrmatin Systems Sub Cmmittee 11 th March 2015 Subject: Agilisys Managed Service Financial Reprt Reprt f: Chamberlain Summary Public Fr Infrmatin This reprt prvides Members with an

More information

TrustED Briefing Series:

TrustED Briefing Series: TrustED Briefing Series: Since 2001, TrustCC has prvided IT audits and security assessments t hundreds f financial institutins thrugh ut the United States. Our TrustED Briefing Series are white papers

More information

The Importance of Market Research

The Importance of Market Research The Imprtance f Market Research 1. What is market research? Successful businesses have extensive knwledge f their custmers and their cmpetitrs. Market research is the prcess f gathering infrmatin which

More information

Remote Working (Policy & Procedure)

Remote Working (Policy & Procedure) Remte Wrking (Plicy & Prcedure) Publicatin Scheme Y/N Department f Origin Plicy Hlder Authrs Can be published n Frce Website Prfessinal Standards Department (PSD) Ch Supt Head f PSD IT Security Officer

More information

Session 9 : Information Security and Risk

Session 9 : Information Security and Risk INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Infrmatin Management Framewrk 2 Infrmatin

More information

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES Prject Open Hand Atlanta Effective Date: April 14, 2003 Health Insurance Prtability and Accuntability Act (HIPAA) The Health Insurance Prtability and Accuntability Act f 1996 (HIPAA) directs health care

More information

Chapter 7 Business Continuity and Risk Management

Chapter 7 Business Continuity and Risk Management Chapter 7 Business Cntinuity and Risk Management Sectin 01 Business Cntinuity Management 070101 Initiating the Business Cntinuity Plan (BCP) Purpse: T establish the apprpriate level f business cntinuity

More information

First Global Data Corp.

First Global Data Corp. First Glbal Data Crp. Privacy Plicy As f February 23, 2015 Ding business with First Glbal Data Crp. ("First Glbal", First Glbal Mney, "we" r "us", which includes First Glbal Data Crp. s subsidiary, First

More information

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014 State f Michigan POLICY 1390 Infrmatin Technlgy Cntinuity f Business Planning Issued: June 4, 2009 Revised: June 12, 2014 SUBJECT: APPLICATION: PURPOSE: CONTACT AGENCY: Plicy fr Infrmatin Technlgy (IT)

More information

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released Page 1 f 6 Vice President, Infrmatics and Transfrmatin Supprt APPROVED (S) REVISED / REVIEWED SUMMARY Versin Date Cmments / Changes 1.0 Initial Plicy Released INTENT / PURPOSE The Infrmatin and Data Gvernance

More information

IT CHANGE MANAGEMENT POLICY

IT CHANGE MANAGEMENT POLICY IT CHANGE MANAGEMENT POLICY Effective Date May 19, 2016 Crss-Reference 1. IT Operatins and Maintenance Plicy 2. IT Security Incident Management Plicy Respnsibility Apprver Review Schedule 1. Plicy Statement

More information

Hampton Roads Orthopaedics & Sports Medicine. Notice of Privacy Practices

Hampton Roads Orthopaedics & Sports Medicine. Notice of Privacy Practices This is being prvided t yu as a requirement f the privacy regulatins issued under the Health Insurance Prtability and Accuntability Act f 1996 (HIPAA). This ntice describes hw HROSM may use and disclse

More information

Defining Sales Campaign Automation How e-mail, the Killer App, is best applied to marketing

Defining Sales Campaign Automation How e-mail, the Killer App, is best applied to marketing Defining Sales Campaign Autmatin Hw e-mail, the Killer App, is best applied t marketing Summary: Cmpanies tday are steadily adpting strategies and technlgies t reach prspects, custmers, and partners thrugh

More information

A Quick Read on the State of Small Business and the Small Business Success Index 2009 Baseline Study of Small Business Success

A Quick Read on the State of Small Business and the Small Business Success Index 2009 Baseline Study of Small Business Success A Quick Read n the State f Small Business and the Small Business Success Index 2009 Baseline Study f Small Business Success March 12, 2009 Spnsred by: Netwrk Slutins, LLC and Rbert H. Smith Schl f Business,

More information

Privacy Breach and Complaint Protocol

Privacy Breach and Complaint Protocol Privacy Breach and Cmplaint Prtcl Effective: December 31, 2012 Apprved by: Le McKenna, CFO 1.0 General Privacy breaches and privacy cmplaints will be handled in accrdance with this prtcl. This prtcl is

More information

Phi Kappa Sigma International Fraternity Insurance Billing Methodology

Phi Kappa Sigma International Fraternity Insurance Billing Methodology Phi Kappa Sigma Internatinal Fraternity Insurance Billing Methdlgy The Phi Kappa Sigma Internatinal Fraternity Executive Bard implres each chapter t thrughly review the attached methdlgy and plan nw t

More information

WHAT SHOULD I LOOK FOR WHEN I BUY HEALTH INSURANCE?

WHAT SHOULD I LOOK FOR WHEN I BUY HEALTH INSURANCE? WHAT SHOULD I LOOK FOR WHEN I BUY HEALTH INSURANCE? The Maine Bureau f Insurance 34 State Huse Statin Augusta, Maine 04333 207-624-8475 r 1-800-300-5000 (in Maine) http://www.maine.gv/pfr/insurance Paul

More information

POSITION NUMBER: LOCATION: Vancouver. DATE: February 2009

POSITION NUMBER: LOCATION: Vancouver. DATE: February 2009 POSITION TITLE: Team Lead Service Centre DIVISION/BRANCH: IS/IT CURRENT CLASSIFICATION LEVEL: IS27 SUPERVISOR S POSITION NUMBER POSITION NUMBER: LOCATION: Vancuver DATE: February 2009 SUPERVISOR S TITLE/CLASSIFICATION:

More information

ONGOING FEEDBACK AND PERFORMANCE MANAGEMENT. A. Principles and Benefits of Ongoing Feedback

ONGOING FEEDBACK AND PERFORMANCE MANAGEMENT. A. Principles and Benefits of Ongoing Feedback ONGOING FEEDBACK AND PERFORMANCE MANAGEMENT A. Principles and Benefits f Onging Feedback While it may seem like an added respnsibility t managers already "full plate," managers that prvide nging feedback

More information

VCU Payment Card Policy

VCU Payment Card Policy VCU Payment Card Plicy Plicy Type: Administrative Respnsible Office: Treasury Services Initial Plicy Apprved: 12/05/2013 Current Revisin Apprved: 12/05/2013 Plicy Statement and Purpse The purpse f this

More information

Grant Application Writing Tips and Tricks

Grant Application Writing Tips and Tricks Grant Applicatin Writing Tips and Tricks Grants are prvided by gvernment (lcal, state and natinal), charitable trusts, and by cmmunity rganisatins (eg Ltteries, Rtary, etc). Each grant has a specific purpse,

More information

Malpractice and Maladministration Policy

Malpractice and Maladministration Policy TR340 Malpractice and Maladministratin Plicy This plicy aims t: Define malpractice and maladministratin in the cntext f CIM/CAM studying members, Accredited study centres (ASCs), examinatin centres, invigilatrs

More information

CCHIIM ICD-10 Continuing Education Requirements for AHIMA Certified Professionals (& Frequently Asked Questions for Recertification)

CCHIIM ICD-10 Continuing Education Requirements for AHIMA Certified Professionals (& Frequently Asked Questions for Recertification) CCHIIM ICD-10 Cntinuing Educatin Requirements fr AHIMA Certified Prfessinals (& Frequently Asked Questins fr Recertificatin) The transitin t ICD-10-CM and ICD-10-PCS is anticipated t imprve the capture

More information

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine Title: Identity Theft Prgram Effective Date: July 2009 NYU Langne Medical Center NYU Hspitals Center NYU Schl f Medicine POLICY It is the plicy f the NYU Langne Medical Center t educate and train staff

More information

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012

Army DCIPS Employee Self-Report of Accomplishments Overview Revised July 2012 Army DCIPS Emplyee Self-Reprt f Accmplishments Overview Revised July 2012 Table f Cntents Self-Reprt f Accmplishments Overview... 3 Understanding the Emplyee Self-Reprt f Accmplishments... 3 Thinking Abut

More information

POSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position

POSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position Psitin Title I.T Prject Officer Classificatin Higher Educatin Wrker, Level 7 Respnsible t The Psitin I.T Manager The psitin assists with the cmpletin f varius IT prjects intended t enable the nging administratin

More information

POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES

POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES POLISH STANDARDS ON HEALTH AND SAFETY AS A TOOL FOR IMPLEMENTING REQUIREMENTS OF THE EUROPEAN DIRECTIVES INTO THE PRACTICE OF ENTERPRISES M. PĘCIŁŁO Central Institute fr Labur Prtectin ul. Czerniakwska

More information

Hearing Loss Regulations Vendor information pack

Hearing Loss Regulations Vendor information pack Hearing Lss Regulatins Vendr infrmatin pack Nvember 2010 Implementing the Accident Cmpensatin (Apprtining Entitlements fr Hearing Lss) Regulatins 2010 The Minister fr ACC, the Hn. Dr Nick Smith, has annunced

More information

HOW TO SELECT A LIFE INSURANCE COMPANY

HOW TO SELECT A LIFE INSURANCE COMPANY HOW TO SELECT A LIFE INSURANCE COMPANY There will prbably be hundreds f life insurance cmpanies t chse frm when yu decide t purchase a life insurance plicy. Hw d yu decide which ne? Mst cmpanies are quite

More information