1 MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28, 2011
2 MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts 1. Purpose and Scope 2. Definitions 3. Duty to Protect and Standards for Protecting Personal Information 4. Computer System Security Requirements 5. Montserrat s Response and Action Plan Appendix I - Security Compliance Training Plan and Schedule Appendix II - Third Party Security Compliance Audit (not yet scheduled)
3 1.0 - Purpose and Scope Purpose: This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents. Scope: The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.
4 2.0 Definitions Breach of Security - the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure. Electronic - relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities. Employee includes all full-time, part-time, seasonal, temporary, contractors, consultants, volunteers, interns, students or anyone else who may perform work for the College. Encrypted - the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key. Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. Personal Information - a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident s financial account; provided, however, that Personal information should not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Record or Records - any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. Service Provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation.
5 3.0 - Duty to Protect and Standards for Protecting Personal Information Every person that owns or licenses personal information about a resident of the Commonwealth should develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information. Such comprehensive information security program must be consistent with industry standards, and should contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records. Moreover, the safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated. The Montserrat College of Art comprehensive information security program should include, but is not limited to: 1. Designating one or more employees to maintain the comprehensive information security program. 2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to: a. continuous employee (including temporary and contract employee) training b. employee compliance with policies and procedures c. means for detecting and preventing security system failures 3. Developing security policies for employees that take into account if and how employees should be allowed to store, access, and transport records containing personal information outside of business premises. 4. Imposing disciplinary measures for violations of the comprehensive information security program rules. 5. Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names. 6. Taking all reasonable steps to verify that any third-party service provider with access to personal information has the capacity to protect such personal information in the manner provided for in 201 CMR 17.00; and taking all reasonable steps to ensure that such third party service provider is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR
6 7. Limiting the amount and access of personal information collected to that which is reasonably necessary to accomplish the legitimate purpose for which it is collected or to comply with state or federal record retention requirements. 8. Identifying paper, electronic, computing systems, storage media, including laptops and portable devices used to store personal information. Determining which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information. 9. Implementing reasonable restrictions upon physical access to records containing personal information, including a written procedure that outlines the manner in which physical access to such records is restricted. Enabling restrictions for storage of such records and data, i.e. locked facilities, storage areas or containers. 10. Regular monitoring to ensure that the comprehensive information security program is operating in a manner to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks. 11. Reviewing the scope of the security measures at least annually or when there is a material change in business practices that may affect the security or integrity of records containing personal information. 12. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
7 4.0 - Computer System Security Requirements Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible shall have the following elements: (1) Secure user authentication protocols including: (a) control of user IDs and other identifiers; (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and, (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system; (2) Secure access control measures that: (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls; (3) To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information that will be transmitted wirelessly. (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information; (5) To the extent technically feasible, encryption of all personal information stored on laptops or other portable devices (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (8) Education and training of employees on the proper use of the computer security systems and the importance of personal information security.
8 5.0 Montserrat College of Art s Response and Action Plan A. Program Overview Montserrat College of Art has developed this comprehensive written information security program (WISP) in order to create effective administrative, technical and physical safeguards for the protection of Personal Information ( Personal Information or PI ) and to comply with 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth ( Regulations ). Personal Information means a Massachusetts resident s first name and last name, or first initial and last name, in combination with one or more of the following data elements that relate to the resident: (a) Social Security number, (b) Driver s License number or state-issued identification card number; or (c) Financial Account number, or debit or credit card number, with or without any required security code, access code, Personal Identification Number (PIN) or password, that would permit access to a resident s financial account. Personal Information shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. This Program has been approved and adopted by the President s Cabinet. This Program may be amended from time to time by the College as necessary to upgrade the PI safeguards contained herein in order to limit risks or as otherwise necessary to comply with the law, with the approval of the President s Cabinet. B. Purpose and Scope The purpose of this Program is to establish administrative, technical, and physical safeguards to protect Personal Information that is owned, licensed, stored, or maintained by Montserrat College of Art, whether such information is contained in paper, electronic records or in any other form. This Program is designed to ensure the security and confidentiality of Personal Information, to protect against anticipated threats or hazards to the security or integrity of Personal Information, and to protect against unauthorized access to or use of Personal Information in a manner that creates a substantial risk of identity theft or fraud. C. Administration of Information Security Program 1. Program Administration. The College s IT Manager, will be the primary Information Security Coordinator for this Program, with the Human Resources Director being secondary. 2. Responsibilities of Information Security Coordinator. The Information Security Coordinator will be responsible, with the support of the College and the President s Cabinet, to perform each of the following responsibilities, among others: a. Develop, implement, administer, monitor, review, and update this
9 Program from time to time, consistent with the requirements of the Regulations; b. Oversee ongoing employee training and any communications involving this Program; c. Address any information security issues, including employee compliance and access to the College s Personal Information by former employees, that may arise from time to time. Provide input to the College regarding the imposition of disciplinary measures for violations of the Program; Disciplinary action for violations to this policy will be determined by the IT Manager and the Human Resources Director and will be issued by the direct supervisor; and d. Take all reasonable steps to verify that any third-party service provider with access to the College s Personal Information has the capacity to protect such Personal Information in the manner consistent with this Program and the requirements of the Regulations and that any such third party service provider applies protective security measures at least as stringent as those required by the Regulations. D. Compliance with the Program 1. Compliance. All employees (whether full-time, part-time, substitute, seasonal, or temporary) and independent contractors, consultants, and volunteers are subject to the applicable requirements set forth in this Program. 2. Non-Compliance. Instances of non-compliance with this Program must be reported immediately to the Information Security Coordinator. Violations may result in disciplinary action by the College, up to and including termination of employment. 3. Non-Retaliation. It is unlawful and against College policy to retaliate against anyone who reports a violation of this Program or who cooperates in an investigation regarding non-compliance with this Program. Any such retaliation will result in disciplinary action by the College, up to and including termination of employment. E. Record Retention 1. Retention. The College only collects and maintains records and files containing Personal Information of the type, and for the length of time, reasonably necessary to accomplish the College s legitimate business purposes, or as otherwise necessary for the College to comply with other local, state, or federal regulations or requirements. The College periodically reviews its records, files, and form documents to ensure that the College is not gathering and retaining Personal Information unless there is a legitimate business purpose and/or to comply with applicable laws.
10 2. Return of Records. All employees, contractors, consultants, and volunteers of the College are required upon termination, resignation, or other separation from the College for any reason, or earlier, to return all records and files containing Personal Information owned and licensed by the College, including but not limited to that of current or former students, employees, or other service providers of the College, in any form that may at the time of such separation be in their possession or control, and including but not limited to all such information stored on laptops, portable devices (e.g., thumb drives, zip drives, CDs, DVDs, cell phones, or blackberries) in files, records, notes, paper or other media. F. Handling of Personal Information Personal Information must be handled in the following manner: 1. Creation. Upon creation of paper, electronic documents and files that contain Personal Information, such documents and files must be marked as Confidential. 2. Storage. Paper documents containing Personal Information must be stored in a locked or otherwise secured desk, file cabinet, office, or controlled area when unattended. Storage of electronic Personal Information should be kept to a minimum, and any Personal Information stored electronically must be stored in an area that requires user authentication and a password. 3. Access, Sharing, and Disclosure. Access, sharing, and disclosure of records or files containing Personal Information is limited to those persons who are reasonably required to know such information in order to accomplish the College s legitimate business purposes or to enable the College to comply with other local, state, or federal regulations or requirements. 4. Transmission. Voice communications involving Personal Information must be kept to a minimum and performed in closed or secured locations. Transmission of Personal Information in paper or hard-copy form outside of the College, or other removal of Personal Information from the College s premises, must be done with reasonable precaution and in accordance with any applicable College procedures and/or rules to ensure the security and prevention of unauthorized disclosure of Personal Information. To the extent technically feasible, the electronic transmission of records and files containing Personal Information across public networks and all data containing Personal Information transmitted wirelessly, must be encrypted to ensure the security of such information and to prevent unauthorized disclosure. 5. Disposal. Personal Information must be disposed of when no longer needed by the College. Electronic and paper documents, as well as hard-copies of records or files containing Personal Information determined by the College to be unnecessary must be disposed of by cross-cut shredding, erasing, incinerating, pulping, redacting, or burning, so that Personal Information cannot be read or reconstructed. Electronic Personal Information determined by the College to be no longer needed must be
11 destroyed or erased so that Personal Information cannot practicably be read or reconstructed. G. Physical and Environmental Controls 1. Use and Storage of Files. Employees, contractors, consultants, and volunteers of the College must not keep open documents or files containing Personal Information on their desks either unsecured or unattended. This policy applies to both hard-copies and electronic copies of records and files containing Personal Information. At the end of the work day, all files and other records containing Personal Information must be secured in a manner that is consistent with this Program and the requirements of the Regulations. 2. Blocked Physical Access. The College prohibits and blocks physical access to records and files containing Personal Information by any individual without authorization. Access to records and files containing Personal Information is limited to those persons who are reasonably required to know such information in order to accomplish the College s legitimate business purposes or to enable the College to comply with other local, state, or federal regulations or requirements. Employees, contractors, consultants, and volunteers of the College are required, upon termination, resignation or other separation from the College to surrender all keys, IDs, access codes, badges, business cards, and the like, that permit access to the College s premises or to records of the College containing Personal Information. 3. Visitors. Visitors of the College are prohibited and blocked from accessing any records or files of the College containing Personal Information. H. IT Policies and Procedures 1. Electronic Access. a. The College has in place secure user authentication protocols, including (i) control of user IDs and other identifiers, (ii) a reasonably secure method of assigning and selecting passwords; and (iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect. b. The College assigns unique identifications plus passwords that are designed to maintain the integrity of the security of the access controls, and prohibits the use of vendor supplied default passwords, to each authorized active user. c. The College limits access to electronic records and data containing Personal Information strictly to authorized users and active user accounts. Only users with a need to access such Personal Information in order to perform their job duties are allowed access. The Information Security Coordinator in consultation with the College will assess each individual s role to determine if such access should be granted.
12 d. The College requires that current computer or network passwords be changed every 6 months. The College blocks access to users after 3 unsuccessful attempts to gain electronic access to records or files containing Personal Information. e. The College blocks electronic access to Personal Information by former employees, former service providers of the College, and other individuals who are no longer authorized to use active accounts. f. The College promptly terminates and prohibits electronic access by former employees, service providers of the College, and other individuals who are no longer authorized users with an active user account to records and files containing Personal Information. Voic , and College internet access, along with passwords are also promptly disabled or blocked. 4. Network Security. a. The College monitors all of its computer systems for unauthorized use of or access to records and files containing Personal Information. b. The College has and will continue to maintain reasonably up-to-date firewall protection and operating system security patches on all of its systems maintaining Personal Information, in order to maintain the integrity of such information. c. The College has and will maintain reasonably up-to-date versions of system security agent software which includes malware protection and reasonably up-todate patches and virus definitions, installed on all of its systems processing Personal Information. 5. Encryption. I. Security Awareness To the extent technically feasible, the College encrypts all records and files of the College containing Personal Information transmitted across public networks or wirelessly. 1. Training. The College will endeavor to provide education and training regarding this Program, including the proper use of the College s computer security system and the importance of Personal Information security, to all employees, contractors, consultants, and volunteers. 2. Copies of WISP. The College will endeavor to provide copies of its WISP to its employees, contractors, volunteers, and third-party service providers.
13 J. Third-Party Service Providers 1. Vetting Process. Before engaging a third-party service provider who will have access to Personal Information, the College will perform their reasonable due diligence to assess whether a prospective third-party service provider is capable of safeguarding Personal Information in the manner required by this Program. Due diligence efforts may include, but are not limited to: discussions with the prospective third-party service provider s personnel, reviewing the prospective third-party service provider s privacy and/or information security policies, requesting the prospective third-party service provider to complete a security questionnaire or otherwise answer security-related questions. No later than March 1, 2012, the College will require third-party service providers by contract to implement and maintain appropriate security measures for Personal Information. 2. Monitoring. The College will periodically review and monitor the performance of its third-party service providers who have access to the College s Personal Information in order to ensure that such third-party service providers are applying protective security measures at least as stringent as those required by the Regulations. K. Risk Assessment and Incident Management 1. Identifying Records and Files Containing Personal Information. The College will regularly evaluate its paper, electronic, and other records, electronic systems, and storage media (including laptops and portable devices used to store Personal Information) to determine which records, files, and systems contain Personal Information. 2. Ongoing Risk Assessment. The College will, on a periodic basis, (i) conduct a review to identify reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of any electronic, paper, or other records containing Personal Information; (ii) assess the possible and potential damage of these threats, taking into consideration the sensitivity of the Personal Information; (iii) evaluate the adequacy of this Program to control those risks; and (iv) revise this Program to minimize those risks, consistent with the requirements of the Regulations. This risk assessment will include, but is not be limited to: an assessment of the effectiveness of ongoing employee training, employee compliance with this Program, and existing means for detecting and preventing security system failures in safeguarding Personal Information from internal and external risks. 3. Review of Program. The College conducts a formal review of this Program at least annually, and whenever there is a material change in the College s business practices that may reasonably implicate the security or integrity of records or files containing Personal Information.
14 4. Reporting Obligation. In the event of a breach of security, the College will notify the Attorney General, Office of Consumer Affairs and Business Regulation, and/or the affected Massachusetts resident(s) of the breach or unauthorized use or acquisition of Personal Information, as required by law. 5. Incident Review. The College will document any responsive actions taken in response to a security breach. The College will conduct a prompt review of any security breach, and will document any changes it makes to its WISP as a result of a security breach in order to improve the security of records and files containing Personal Information.
Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 firstname.lastname@example.org Each business is required by Massachusetts law
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting
MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009 Current Laws: Identity Crime: A person is guilty of identity
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became
Identity Theft & Fraud Protection for Identity Theft & Fraud Protection for Massachusetts Residents Copyright Notice November 2009 Joe Burns All rights reserved This PowerPoint presentation is a part of
International Association of Privacy Professionals Practical Privacy Series New York City MASSACHUSETTS OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION AND DATA SECURITY LAW Barbara Anthony Undersecretary
MFA Perspective 201 CMR 17.00: The Massachusetts Privacy Law Compliance is Mandatory... Be Thorough but Be Practical DEADLINE FOR FULL COMPLIANCE HAS BEEN EXTENDED FROM JANUARY 1, 2010 TO MARCH 1, 2010
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
The Massachusetts Data Security Law and Regulations November 2, 2009 Boston Brussels Chicago Düsseldorf Houston London Los Angeles Miami Milan Munich New York Orange County Rome San Diego Silicon Valley
A Practical Guide to Understanding and Complying with Massachusetts Data Security Regulations February 2010 Table of Contents Background... 1 Are You Required to Comply?... 1 What You Need to Do...2 Reference
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
PRIVACY & DATA SECURITY LAW JOURNAL MASSACHUSETTS On September 22, 2008, Massachusetts adopted regulations that will require businesses, wherever located, that own, license, store, or maintain information
Protecting Personal Information A Business Guide Division of Finance and Corporate Securities Oregon Identity Theft Protection Act Collecting, keeping, and sharing personal data is essential to all types
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
College of DuPage Information Technology Information Security Plan April, 2015 TABLE OF CONTENTS Purpose... 3 Information Security Plan (ISP) Coordinator(s)... 4 Identify and assess risks to covered data
New York University University Policies Title: Payment Card Industry Data Security Standard Policy Effective Date: April 11, 2012 Supersedes: N/A Issuing Authority: Executive Vice President for Finance
DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)
Physical Protection Policy Sample (Required Written Policy) 1.0 Purpose: The purpose of this policy is to provide guidance for agency personnel, support personnel, and private contractors/vendors for the
2011 Data Breach Notifications Report December 2011 2011 Report on Data Breach Notifications History, Laws and Regulations On October 31, 2007, the Commonwealth s Data Security Breach Law, Mass. Gen. Law
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
Best Practices for Protecting Sensitive Data in an Oracle Applications Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Webinar Logistics Hide and unhide the Webinar control panel by clicking on
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
Fall 2014 Protection of Personal Information Security and Incident Investigation Procedures and Practices for Local Governmental Units Effective January 1, 2015 Darren T. Sammons, Staff Attorney Commonwealth
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: email@example.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
Information Security Plan effective March 1, 2010 Section Coverage pages I. Objective 1 II. Purpose 1 III. Action Plans 1 IV. Action Steps 1-5 Internal threats 3 External threats 3-4 Addenda A. Document
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
PimaCountyCommunityCollegeDistrict Standard Practice Guide Administrative Procedure SPG AP Title: Portable College-Issued Mobile Device Security SPG AP Number: SPG-5702/AD AP 9.01.04 Effective Date: 11/13/06
Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder
AUBURN WATER SYSTEM Identity Theft Prevention Program Effective October 20, 2008 I. PROGRAM ADOPTION Auburn Water System developed this Identity Theft Prevention Program ("Program") pursuant to the Federal
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs The Identity Theft and Fraud Protection Act (Act No. 190) allows for the collection, use
Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal
INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security The Office of Illinois Attorney General Lisa Madigan has created
POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
Information Security Policy Version August 23, 2010 1 of 8 Table of Contents Introduction Ethics and Acceptable Use Policies Usage Policy Disciplinary Action Protect Stored Data Restrict Access to Data
Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment
Protecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012 Mission of Pro Bono Partnership of Atlanta: To maximize the impact of pro bono engagement by connecting
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to firstname.lastname@example.org when requesting a stand-alone dial up terminal. The University
U.S. Department of Housing and Urban Development Office of Public and Indian Housing SPECIAL ATTENTION OF: NOTICE PIH-2014-10 Directors of HUD Regional and Field Offices of Public Housing; Issued: April
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
Policy Title: Effective Date: Revision Date: Subject Matter Experts / Approval(s): TAC: LASO: C/ISO: Front Desk: Technology Support Lead: Agency Head: Every 2 years or as needed Purpose: The purpose of
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers