Student Visa - confidentiality and Reporting Requirements
|
|
- Rebecca Charles
- 3 years ago
- Views:
Transcription
1 Information Security: Best Practices
2 Larry Carson Associate Director, Information Security Management, UBC
3 Agenda News-worthy Incidents Legislation Policy Passwords Training Who to call Scenarios Discussion 3
4 Recent News-worthy Security Incidents VGH Loss of 450 medical records via Resident laptop & USB drive Lost/stolen at Toronto airport (Late Sep 2011) UVic Loss of 11,845 employee records incl. banking info Stolen USB stick (Jan 7-8, 2012) SFU Loss of Personal information for 150 students Stolen via keylogger (Jan 10, 2012) McGillLeaks Posts confidential donor information Stolen and posted (Mar 3, 2012) UBC Laptop Loss & Recovery with 50,000 records Stolen from vehicle (Feb 16, 2012) CGA Leaks 4,600 student records containing Personal Information to 2,300 students accidentally incl. Excel file (Mar 13, 2012) BCIT 12,680 Student Medical records compromised Server breached: movie uploads/downloads (Jun 2012) 4
5 BC s Freedom of Information and Protection of Privacy Act (FIPPA) FIPPA legislates handling of Personally Identifiable Information (PII) for BC public bodies Section 30: A PUBLIC BODY MUST PROTECT PERSONAL INFORMATION IN ITS CUSTODY OR UNDER ITS CONTROL BY MAKING REASONABLE SECURITY ARRANGEMENTS AGAINST SUCH RISKS AS UNAUTHORIZED ACCESS, COLLECTION, USE, DISCLOSURE OR DISPOSAL. What is personal information? FIPPA Definition: recorded information about an identifiable individual, not including contact information. Contact information: information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business or business fax number of the individual.
6 FIPPA cont Roles: The Office of the Information and Privacy Commissioner (OIPC) BC CIO s Office How are Reasonable security arrangements defined in s.30? Investigative reports, pronouncements, guidelines, etc. Portable/Mobile = Encryption + Strong Passwords Less is best
7 UBC Policies 104, 106 and the UBC Information Security Manual #104 Responsible Use of Information Technology Facilities and Services #106 Access to and Security of Administrative Information Systems UBC Information Security Manual V2.0 3 Tables Pages 6, 7 & 8
8 Confidential Highest level of sensitivity Sensitive Moderate level of sensitivity Public Very low, but still requiring some protection Legal Requirements Protection of data where it is required by law (e.g. Freedom of Information and Protection of Privacy Act [FIPPA] legislation, which includes Personally Identifiable Information [PII] and Protected Health Information [PHI]) or by industry regulation (e.g. Payment Card Industry Data Security Standard [PCI-DSS] for protection of credit card data) or by University of British Columbia policy The institution has a contractual obligation to protect the data (e.g. Bibliographic citation data, bulk licensed software) None Reputation Risk High Medium Low Potential Impact of Loss Long-term loss of research funding from granting agencies Long-term loss of reputation Legal costs Individuals put at risk for identity theft Unauthorized tampering of research data Increased regulatory requirements Long-term loss of critical campus or departmental service Short-term loss of reputation Short-term loss of research funding Short-term loss of critical departmental service Unauthorized tampering of research data Individuals put at risk for identity theft Loss of use of individual workstation or laptop Public embarrassment
9 Employee Home contact info Dependants Medical/Health Research studies Patients Student What is Confidential Information (PII)?
10 Student PII Student or Prospective Student Name address, if it can identify an individual (Decision: Ontario Nov/11) E.g. vs. User account name, if it can identify an individual. E.g. ubc\greentree vs. ubc\jsmith
11 Student PII Student or Prospective Student Information Depends on Context Student ID number Courses taken if linked to the identity of an individual Enrolment status of a student. E.g. cannot inform student s parents if their child is enrolled at institution, without consent of student
12 Employee PII Payroll & other employee information Employee ID Home contact information E.g. Address and/or phone number Home address, if it can identify an individual (Decision: Ontario Nov/11) E.g. vs. Other people linked to the employee - personally Dependants. E.g. spouse, children, etc. Beneficiaries Emergency Contacts What Isn t PII?? Salary, title/position, expenses, name
13 Credit Card Processing (PCI-DSS) UBC is compliant with the Payment Card Industry Data Security Standard (PCI- DSS) If you process or outsource the processing of credit cards then you must be registered with the University UBC contracts a Qualified Security Assessor (QSA) to assist our merchants with achieving and maintaining PCI-DSS compliance UBC has a central service that is already PCI-DSS compliant: UBC epayment Contact: Raul Ramos
14 Confidential Highest level of sensitivity Sensitive Moderate level of sensitivity Public Very low, but still requiring some protection Access Protocol Access is limited to those personnel permitted under law, regulation and University of British Columbia policies, and those with a need to know. Access limited to those personnel with a need to know. Open Transmission It is strongly recommended that Confidential information transmitted through a network should use approved encryption. Third party services are not appropriate for transmitting Confidential information. Confidential data may be masked instead of encrypted. Approved encryption is recommended when transmitting information through a network. Third party services are discouraged for transmitting Sensitive information. Open Storage Location of Confidential information should be clearly identified and reported via the Prioritisation Tool. Approved encryption or masking is strongly recommended and may be required on computing equipment depending upon law or regulation. Approved encryption of Sensitive information is recommended. Level of required protection of Sensitive information is either pursuant to UBC policy or at the discretion of the owner or custodian of the information. If appropriate level of protection is not known, check before storing Sensitive information unencrypted. Encryption is not required. Protection Controls In accordance with law, regulation and University of British Columbia policies, procedures & standards. In accordance with University of British Columbia policies, procedures & standards. In accordance with University of British Columbia policies, procedures & standards.
15 Passwords No sharing Accountability IT personnel never need to know your password Phishing Change it annually Make it strong But How?
16
17 Training UBC Information Security Awareness Training CWL for access Employees & Graduate Students
18 Who to call IT support staff IT Service Centre
19 Scenarios - Tuition 1. A man calls and states that he is the father of David Smith; that he pays his son s tuition fees and wants to confirm that he is taking law courses as planned at UBC. How do you handle this?
20 Scenarios - Tuition 1. A man calls and states that he is the father of David Smith; that he pays his son s tuition fees and wants to confirm that he is taking law courses as planned at UBC. How do you handle this? A: Put the call on hold and check for a waiver from the student. Do not confirm or deny the attendance of the student at UBC without the waiver.
21 Scenarios - Scholarships 2. You are coordinating a review of potential students for scholarships and need to distribute information on the candidates to the committee. You decide USB sticks will be good for most members; however, two members are not local, so you decide to use for them. How do you do share the information safely?
22 Scenarios - Scholarships 2. You are coordinating a review of potential students for scholarships and need to distribute information on the candidates to the committee. You decide USB sticks will be good for most members; however, two members are not local, so you decide to use for them. How do you do share the information safely? A: USB sticks with encryption. Encrypt the data in a spreadsheet and phone the two people with the passphrase
23 Scenarios Your receive an stating that UBC has moved to a new system but to make sure your account still works, you will need to go to the following website and enter your username and password. The has UBC logos and looks authentic. What do you do?
24 Scenarios Your receive an stating that UBC has moved to a new system but to make sure your account still works, you will need to go to the following website and enter your username and password. The has UBC logos and looks authentic. What do you do? A: Contact IT support and validate that it is real.
25 Scenarios - Tablets 4. You have a new ipad and wish to work with it instead of carrying around the laptop provided to you by UBC. You ve connected it to FASmail and have put a 5 digit PIN on the device to protect it. Can you work on spreadsheets that contain confidential student information from the device?
26 Scenarios - Tablets 4. You have a new ipad and wish to work with it instead of carrying around the laptop provided to you by UBC. You ve connected it to FASmail and have put a 5 digit PIN on the device to protect it. Can you work on spreadsheets that contain confidential student information from the device? A: No, the tablet needs to have strong encryption along with a strong password/passphrase. The password/passphrase is weak and the encryption has not been validated as strong
27 Scenarios - Manager 5. You are the manager of a team. You are concerned that when a person is sick or on vacation important s may not receive attention. You decide that asking the staff for their usernames and passwords is appropriate and that you will keep the information locked in a safe just in case. Is this okay?
28 Scenarios - Manager 5. You are the manager of a team. You are concerned that when a person is sick or on vacation important s may not receive attention. You decide that asking the staff for their usernames and passwords is appropriate and that you will keep the information locked in a safe just in case. Is this okay? A: No, usernames and passwords should only be known to the individual. Sharing them removes accountability. Instead ask them to delegate access to their or setup a special account for shared communications.
29 Scenarios - Payroll 6. You need to backup payroll data as part of your unit s Business Continuity plans and decide that a USB stick stored in a safe would be a good idea. Will this be safe?
30 Scenarios - Payroll 6. You need to backup payroll data as part of your unit s Business Continuity plans and decide that a USB stick stored in a safe would be a good idea. Will this be safe? A: No, the USB stick must be fully encrypted, using strong encryption with a strong password see UVic s January data breach.
31 Scenarios - Telecommuting 7. You need to work from home and decide to borrow a laptop from the office pool. You transfer copies of your confidential employee records to the laptop. What are the problems with this and what options do you have to do this safely?
32 Scenarios - Telecommuting 7. You need to work from home and decide to borrow a laptop from the office pool. You transfer copies of your confidential employee records to the laptop. What are the problems with this and what options do you have to do this safely? A: The laptop must be encrypted prior to using it; this needs to be checked before transferring the records. Only the records needed should be copied not all records unless it is necessary. Options: 1. Use a VDI session to remotely access your desktop. The data will stay at UBC on its premises. 2. Use an encrypted USB stick and work only from the stick; the stick must have strong encryption & a strong password
33 Discussion
Privacy and Security Protecting Personal Information Kim Hart and Bill Trott
Privacy and Security Protecting Personal Information Kim Hart and Bill Trott Privacy Video http://www.youtube.com/watch?feature=pla yer_embedded&v=rnjl9eecsoe What is today about? Understand key principles
More informationPresented by Dave Olsen, CPA, President
Presented by Dave Olsen, CPA, President My Frame of Reference 15 Years in Public Practice 11 Years in Tax & Accounting Software (20% of prof. e-files) 3 Year term on IRS ETAAC committee and Security Sub-Group
More informationTNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business
TAKING OUR CUSTOMERS BUSINESS FORWARD The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment
More informationHIPAA and Health Information Privacy and Security
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
More informationThis procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.
Privacy Breach No.: 6700 PR2 Policy Reference: 6700 Category: Information Management Department Responsible: Privacy and Records Management Current Approved Date: 2012 May 01 Objectives This procedure
More informationResearch Information Security Guideline
Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different
More informationTable of Contents. Acknowledgement
OPA Communications and Member Services Committee February 2015 Table of Contents Preamble... 3 General Information... 3 Risks of Using Email... 4 Use of Smartphones and Other Mobile Devices... 5 Guidelines...
More informationPCI Data Security Standards
PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million
More informationINFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Employee Teleworking Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Introduction... 2 2. Teleworking Risks... 3 3. Safeguards for College
More informationProject Title slide Project: PCI. Are You At Risk?
Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services
More informationCyber Risk in Healthcare AOHC, 3 June 2015
Cyber Risk in Healthcare AOHC, 3 June 2015 Kopiha Nathan, Senior Healthcare Risk Management and Data Specialist James Penafiel, Underwriting Supervisor, Insurance Operations CFPC Conflict of Interest -
More informationTHE RESEARCHER S GUIDE TO DATA PRIVACY
THE RESEARCHER S GUIDE TO DATA PRIVACY PAUL HANCOCK, ACCESS AND PRIVACY MANAGER, OFFICE OF THE UNIVERSITY COUNSEL KAITLYN GUTTERIDGE, LEAD PRIVACY, POLICY AND AGREEMENTS, POPULATION DATA BC Overview Introduction
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationTERMINAL CONTROL MEASURES
UCR Cashiering & Payment Card Services TERMINAL CONTROL MEASURES Instructions: Upon completion, please sign and return to cashandmerchant@ucr.edu when requesting a stand-alone dial up terminal. The University
More informationBrian Beamish. Commissioner (Acting) Ontario Information and Privacy Commission. Cyber Risk National Conference February 9, 2015
Preventing Privacy Breaches and Building Confidence in Electronic Health Records Brian Beamish Commissioner (Acting) Ontario Information and Privacy Commission Cyber Risk National Conference February 9,
More informationThe Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development
The Cost of Payment Card Data Theft and Your Business Aaron Lego Director of Business Development Presentation Agenda Items we will cover: 1. Background on Payment Card Industry Data Security Standards
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationDSHS CA Security For Providers
DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1 Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public
More informationCritical Data Guide. A guide to handling critical information at Indiana University
Critical Data Guide A guide to handling critical information at Indiana University What is critical information? IU defines critical information as sensitive data requiring the highest level of protection.
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Pam Townley, AVP / Eastern Zonal Manager AIG Professional Liability Division Jennifer Bolling, Account Executive Gallagher Management Liability Division
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationHow To Protect Yourself From Cyber Threats
Cyber Security for Non- Profit Organizations Scott Lawler CISSP- ISSAP, ISSMP, HCISPP Copyright 2015 LP3 May 2015 Agenda IT Security Basics e- Discovery Compliance Legal Risk Disaster Plans Non- Profit
More information/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services
/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE By Melbourne IT Enterprise Services CHECKLIST: PCI/ISO COMPLIANCE If your business handles credit card transactions then you ve probably heard of the Payment
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationThe Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015
The Department of Health and Human Services Privacy Awareness Training Fiscal Year 2015 Course Objectives At the end of the course, you will be able to: Define privacy and explain its importance. Identify
More informationSchool of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy
School of Anthropology and Museum Ethnography & School of Interdisciplinary Area Studies Information Security Policy Page 1 of 10 Contents 1 Preamble...3 2 Purpose...3 3 Scope...3 4 Roles and responsibilities...3
More informationAcceptable Use and Security of UBC Electronic Information and Systems
The University of British Columbia Board of Governors Policy No.: 104 Approval Date: June 2013 Title: Responsible Executive: Vice-President, Academic and Provost Deputy Vice-Chancellor (UBC Okanagan) Acceptable
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationKeeping Data Safe. Patients, Research Subjects, and You
Keeping Data Safe Patients, Research Subjects, and You How do hackers access a system Hackers Lurking in Vents and Soda Machines By NICOLE PERLROTH APRIL 7, 2014 New York Times SAN FRANCISCO They came
More informationPage 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
More informationPayment Cardholder Data Handling Procedures (required to accept any credit card payments)
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
More informationInformation Security Policy
Information Security Policy Introduction The purpose of the is policy is to protect Rider University information resources from accidental or intentional unauthorized access, modification, or damage and
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationGuide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationAISA Sydney 15 th April 2009
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationEnabling Research Securely Data Security Plans
Carl Cammarata, Senior Director-Chief Information Security Officer & David Kovarik, Director-IT Information & Systems Security/Compliance Enabling Research Securely Plans New policy announced by Dean Nielson
More informationHFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
More informationCredit Card Handling Security Standards
Credit Card Handling Security Standards Overview This document is intended to provide guidance to merchants (colleges, departments, auxiliary organizations or individuals) regarding the processing of charges
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationCloudy With a Chance Of Risk Management
Proudly presents Cloudy With a Chance Of Risk Management Toby Merrill, ACE USA John Mullen, Nelson Levine de Luca & Hamilton Shawn Melito, Immersion Ltd. Michael Trendler, ACE INA Canada What is Cloud
More information2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)
CSU, Chico Credit Card Handling Security Standard Effective Date: July 28, 2015 1.0 INTRODUCTION This standard provides guidance to ensure that credit card acceptance and ecommerce processes comply with
More informationHIPAA Privacy and Information Security Management Briefing
HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)
More informationDartmouth College Merchant Credit Card Policy for Processors
Mission Statement Dartmouth College Merchant Credit Card Policy for Processors Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance with the
More informationThe Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training
The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.
More informationInformation Security Policy Manual
Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE
More informationIT04 UO ACH Security Policy
IT04 UO ACH Security Policy Effective 1 July 2009 Last Revised Who Should Read This Policy Employees who have access to and, therefore, responsibility for safeguarding customer bank account and Automated
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationGuidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology
London School of Economics & Political Science Information Management and Technology Guidelines Remote Access and Mobile Working Guidelines Jethro Perkins Information Security Manager Summary This document
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationFAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY
FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationAnatomy of a Privacy and Data Breach
Anatomy of a Privacy and Data Breach Understanding the Risk and Managing a Crisis Adam Kardash: Partner, Heenan Blaikie LLP Robert Parisi: Senior Vice President, Marsh Leadership, Knowledge, Solutions
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationVanderbilt University
Vanderbilt University Payment Card Processing and PCI Compliance Policy and Procedures Manual PCI Compliance Office Information Technology Treasury VUMC Finance Table of Contents Policy... 2 I. Purpose...
More informationDartmouth College Merchant Credit Card Policy for Managers and Supervisors
Dartmouth College Merchant Credit Card Policy for Managers and Supervisors Mission Statement Dartmouth College requires all departments that process, store or transmit credit card data remain in compliance
More informationInformation Security: Roles, Responsibilities, and Data Classification. Technology Services 1/4/2013
Information Security: Roles, Responsibilities, and Data Classification Technology Services 1/4/2013 Roles, Responsibilities, and Data Classification The purpose of this session is to: Establish that all
More informationAdministrative Procedures Memorandum A1452
Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal
More informationAppendix 1 Payment Card Industry Data Security Standards Program
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
More informationHuman Subject Research: HIPAA Privacy and Security. Human Research Academy 101
Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationInformation Security It s Everyone s Responsibility
Information Security It s Everyone s Responsibility The University of Texas at Dallas Information Security Office (ISO) Purpose of Training Information generated, used, and/or owned by UTD has value. Because
More informationP02.07.066. Mobile Device Security.
P02.07.066. Mobile Device Security. A. University employees and students using a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for
More informationMICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing
MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT Western Student E-Communications Outsourcing Paul Eluchok - University Privacy Officer David Ghantous - Associate Director of Technical Services Dated: August
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationProtecting personally identifiable information: What data is at risk and what you can do about it
Protecting personally identifiable information: What data is at risk and what you can do about it Virtually every organization acquires, uses and stores personally identifiable information (PII). Most
More informationHOT!! Privacy Issues:
September, 2015 HOT!! Privacy Issues: Handle with care................... Micheal Harding Legislative & Policy Analyst Legislative Unit Manitoba Health, Healthy Living and Seniors By the end of 2016, the
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationHIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire
ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire Overview This pre-implementation questionnaire is designed to provide the Boston College Internal Audit Department with a general understanding
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationHIPAA: Bigger and More Annoying
HIPAA: Bigger and More Annoying Instructor: Laney Kay, JD Contact information: 4640 Hunting Hound Lane Marietta, GA 30062 (770) 312-6257 (770) 998-9204 (fax) laney@laneykay.com www.laneykay.com OFFICIAL
More informationIntro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits
HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance
More informationLESS IS MORE PCI DSS SCOPING DEMYSTIFIED
LESS IS MORE PCI DSS SCOPING DEMYSTIFIED Lauren Holloway PCI Security Standards Council Emma Sutcliffe PCI Security Standards Council Session ID: Session Classification: DSP-W21 Intermediate Who s Here
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationData Security in a Mobile, Cloud-Based World
Data Security in a Mobile, Cloud-Based World Jacob Buckley-Fortin CEO ehana What we ll cover Trends Risks Recommendations 1 Trends Mobile Has Taken Over Trend #1 2 3 450 million users worldwide Adopted
More informationPCI Compliance. by: David Koston
PCI Compliance by: David Koston PCI DSS Payment Card Industry Data Security Standard American Express Discover JCB MasterCard VISA Why? Continue to do business Retain Customers Legal Standards are Coming!
More informationOther terms are defined in the Providence Privacy and Security Glossary
Subject: Device and Media Controls Department: Enterprise Security Executive Sponsor: EVP/COO Approved by: Rod Hochman, MD - President/CEO Policy Number: New Date: Revised 10/11/2013 Reviewed Policy Owner:
More informationUniversity of Liverpool
University of Liverpool Card Payment Policy Reference Number Title Version Number 1.0 Document Status Document Classification FIN-001 Card Payment Policy Active Public Effective Date 03 June 2014 Review
More informationPCI Compliance Top 10 Questions and Answers
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
More informationISEC Seminar : Protecting Personal Data in the Electronic Media Personal Data Security @ JPMorgan Micky Lo March 2007 1 Agenda Data Theft Incidence & Industry Figures Threats and Vulnerabilities Data Protection
More informationBecoming PCI Compliant
Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History
More informationIntroduction to PCI DSS
Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationData Security Breach. How to Respond
Data Security Breach How to Respond About ERM About The Speaker Information Security Director at ERM CISSP, CISA, CRISC, PCIP, PCI-QSA Core Experience: Information Assurance Computer Forensics Penetration
More information