Regulatory focus on cybersecurity is intensifying.

Size: px
Start display at page:

Download "Regulatory focus on cybersecurity is intensifying."

Transcription

1 The Investment Lawyer Covering Legal and Regulatory Issues of Asset Management VOL. 21, NO. 8 AUGUST 2014 Developments in Cybersecurity Law Governing the Investment Industry By Luke T. Cadigan and Sean P. Mahoney Regulatory focus on cybersecurity is intensifying. Unlike other compliance matters, the deterrent effect of enforcement actions following data security breaches may be insufficient to achieve regulators purpose of ensuring that technology platforms are secure before an event occurs. Thus, in the area of cybersecurity, regulators appear to be shunning granular, prescriptive rules and instead insisting upon more holistic management of cybersecurity risk. While regulations and guidance imposing cybersecurity requirements can be difficult to decipher, there are a number of sources that one can look to in order to discern regulatory expectations. By way of current law, brokers, dealers, investment companies and investment advisers (SEC-regulated Entities) can look to Securities and Exchange Commission (the SEC) Regulation S-P, 1 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act, enforcement actions taken under that rule, and state laws governing information security generally. More current guidance was discussed at a roundtable on cybersecurity hosted by the SEC and an alert with a sample request for information, providing more detail on expectations, was released by the SEC Office of Compliance Inspections and Examinations (OCIE). In addition to OCIE guidance, the National Institute of Standards and Technology (NIST) issued its cybersecurity framework, which appears to have been accepted by the SEC. Existing Laws and Regulations Governing Cyber-Security Prescriptive rules and regulations governing data security practices of SEC-regulated Entities are generally limited to discrete requirements designed to protect specific classes of information. Regulation S-P, for example, requires SEC-regulated Entities to adopt written policies and procedures with administrative, technical and physical safeguards to protect customer records and information. Unlike similar regulations promulgated by bank regulators, Regulation S-P does not contain detailed information security requirements. In 2008, the SEC had proposed a significant expansion of Regulation S-P to provide more detailed requirements with respect to the information security policies and procedures of SEC-regulated Entities. 2 The SEC s proposed rule would have closely tracked the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted by federal bank regulators. 3 The proposed regulations would have explicitly imposed a number of requirements that may otherwise be viewed as best practices, including: Designating employees to implement the information security program; Identifying risks to data security;

2 2 THE INVESTMENT LAWYER Designing safeguards to protect against identified risks; Testing or monitoring effectiveness of key controls, systems and procedures; Training staff; and Overseeing service providers by ensuring that they are capable of protecting data and requiring them to maintain appropriate safeguards. 4 The proposed rules also would have imposed requirements for responding to data security breaches and providing notice to affected persons, a key concern at the time the rules were proposed. 5 Regulation S-P further requires that SECregulated Entities dispose of consumer report information and protect against its unauthorized access or use in connection with its disposal. 6 Consumer report information is a consumer report or information derived from a consumer report. Consumer report, in turn, is defined somewhat circularly as any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer s eligibility for [consumer credit, employment or other permissible purposes]. 7 In addition, the SEC promulgated Regulation S-ID pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). 8 Regulation S-ID requires SEC-regulated Entities that are financial institutions or creditors (that is, persons that regularly extend credit) 9 and that offer or maintain covered accounts to develop and implement written identity theft prevention programs designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. 10 For purposes of Regulation S-ID, a financial institution is an entity that maintains accounts with respect to which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items. 11 Covered accounts are consumer accounts incident to continuing relationships that allow for multiple transactions or withdrawals or other accounts that present the risk of identity theft. 12 There are also state data security laws that may be broadly applicable to information security programs. Massachusetts adopted one of the more detailed information security and data security breach laws that applies to any person that holds protected personal information pertaining to Massachusetts residents. 13 The Massachusetts law protects information, however, only to the extent that it consists of a name and an identifying number, such as a social security number, drivers license number or account number. Regulations adopted under the Massachusetts statute require persons holding such protected information, which may include SEC-regulated Entities, to: Designate one or more employees to maintain the comprehensive information security program; Identify and assess reasonably foreseeable internal and external risks to information security and assessing the effectiveness of the current safeguards; Educate and train employees on the proper use of the computer security system and the importance of information security; Develop security policies for employees relating to the storage, access and transportation of protected information; Impose disciplinary measures for violations of the comprehensive information security program rules; Prevent terminated employees from accessing records containing personal information; Manage vendors by, among other things, ascertaining each vendor s ability to keep protected information secure and requiring that vendors maintain comprehensive information security programs;

3 VOL. 21, NO. 8 AUGUST Impose reasonable restrictions upon access to protected information; Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; Document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken; Employ secure user authentication protocols; Encrypt all transmission of protected information and all personal information stored on laptops or other portable devices; Monitor for unauthorized use of or access to personal information; and Employ reasonably up-to-date firewall protection and operating system security patches. 14 While the SEC has yet to impose such detailed requirements, OCIE has taken the position that Rule 15c3-5 promulgated under the Securities Exchange Act of requires broker-dealers with market access to an exchange or alternative trading system or that provide customers or other persons with such access to maintain policies and procedures to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. 16 OCIE appears to reason that Rule 15c3-5 s requirement that a broker-dealer restrict access to trading systems and technology that provide market access to persons and accounts preapproved and authorized by the broker or dealer imposes a general cybersecurity requirement. 17 With respect to the business continuity aspect of cybersecurity, the Financial Industry Regulatory Authority, Inc. (FINRA) has adopted a rule on the topic, 18 which was approved by the SEC in August of 2009 and became effective January 1, FINRA Rule 4370 succinctly requires FINRA members to adopt a business continuity plan, designate members of senior management responsible for its implementation and disclose to their customers how the business continuity plan addresses possible future significant business disruption. Similarly, registered investment advisers are required to have compliance policies and procedures that address business continuity plans under Rule 206(4)-7 under the Investment Advisers Act of And, registered investment companies are required under Rule 38a-1 under the Investment Company Act of 1940 to have compliance policies and procedures that provide for oversight of compliance by certain fund service providers, which would include the service providers business continuity plans. 20 Cybersecurity events such as distributed denial of service attacks (or DDoS attacks) would be the type of significant business disruption to be addressed by a business continuity plan under any of these rules. 21 SEC Data Security Enforcement Actions Notwithstanding the lack of detailed information security rules, the SEC has taken a number of enforcement actions under Regulation S-P with respect to data security practices. These actions typically involved what the SEC had perceived as egregious violations of the regulation, such as not having cybersecurity protocols that the SEC views as fundamental, having vague policies that merely restate the rule, or having no policies at all. The actions typically involve firms operating branch networks, where the firm lacks sufficient control over branch offices. For example, in 2008, the SEC issued a cease and desist order in response to an offer of settlement against a firm registered as a broker-dealer and investment adviser that the SEC alleged had insufficient cybersecurity, leaving the firm vulnerable to hacking attacks. 22 The alleged violations were discovered following a hacking event in which hackers were able to access customer accounts and execute trades. In particular, the SEC found the following asserted cybersecurity failures of Regulation S-P: (1) failure to require registered representatives to

4 4 THE INVESTMENT LAWYER maintain strong passwords (that is, passwords requiring a certain length or alphanumeric/special character combinations); (2) failure to require registered representatives to reset passwords periodically; (3) failure to allow registered representatives to change their own passwords; and (4) not having an automatic lockout feature after repeated, unsuccessful log-in attempts. The SEC further criticized the firm for allegedly allowing more than 300 information technology staff to access the log-in credentials for registered representatives. The SEC acknowledged that the firm had established a committee to consider cybersecurity improvements prior to the hacking incident, but it noted that the work of the committee was not scheduled to begin until a date after the hacking incidents occurred. A little over a year later, the SEC issued a cease and desist order in response to an offer of settlement against another firm registered as a broker-dealer and investment adviser that the SEC alleged had insufficient cybersecurity. 23 Like the 2008 action, this action arose out of a hacking incident in which hackers allegedly accessed account information and used such information to execute trades. The particular shortcomings in cybersecurity involved the firm s alleged failure to require branch offices to install antivirus software and knowledge through the firm s information technology help desk that certain branches did not have antivirus software. In this case, the alleged hacking occurred through the use of a computer virus. Another enforcement action in 2009 involved a registered broker-dealer s failure to maintain adequate policies and procedures and failure to train branch office personnel. 24 SEC Staff described the firm s policies and procedures as simply restating the objectives of the information security provisions of Regulation S-P and not addressing any administrative, technical or physical safeguards associated with customer records or information, including how to dispose properly of such records when they were no longer needed. This action did not involve any information systems that were hacked, rather the SEC alleged that records containing customer information were abandoned on the side of a road by a former registered representative and left there for approximately two weeks. This action stresses the SEC s view of the importance of data disposal procedures under Regulation S-P. More recently, in a series of enforcement actions taken in 2011 in connection with the winding down of a registered broker-dealer, the SEC imposed civil money penalties against executives and other employees for, among other things, allegedly taking no action to prevent or respond to security breaches involving theft of laptops and access to firm by former employees. 25 The SEC also asserted that the respondents violated Regulation S-P by transferring customer records of the firm winding down without customer consent, highlighting the obligations of officers and employees to safeguard data as part of a firm s cybersecurity responsibilities. In this case, a chief compliance officer was assessed civil money penalties for the alleged cybersecurity-related violations. While these enforcement actions indicate the SEC s willingness to use existing regulations to ensure security of sensitive information, they all share one common element: each action was commenced after an alleged incident of unauthorized access to customer information. These actions also have little to do with potential risks associated with access to information systems of SEC-regulated Entities where such access involves sensitive information that is not protected by Regulation S-P. It should be no surprise that recent statements and releases from the SEC indicate that the SEC is looking to take a more proactive approach to cybersecurity. Guidance Addressing Cybersecurity While the increasing focus on cybersecurity is unmistakable, the SEC has been following this issue for some time. Over the past few years, OCIE has repeatedly indicated that risk management is one of its examination priorities. 26 Further, with respect to technology, OCIE has indicated that it will examine

5 VOL. 21, NO. 8 AUGUST governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages. 27 In so many words, cybersecurity has been on the minds of OCIE Staff, with a specific reference to the term in On March 26, 2014, the SEC held a roundtable at which SEC Commissioners and external panelists were invited to discuss cybersecurity issues. 29 Dialogue among the panelists focused on measures that could be taken to ensure firms are dedicating resources to risk management and good internal controls. Potential next steps included sharing of information and best practices; principles-based guidance; preparation of incident response playbooks; tailoring requirements so they can be adapted to firms of varying profiles (including small firms); and encouraging further planning, testing and communication. SEC Staff stressed the need for disaster recovery planning and the ability to recover from any outages, including those caused by cybersecurity breaches such as DDoS attacks. One unexpected consensus among panelists in the discussion was that they invited additional regulations or other cybersecurity guidance that would help SEC-regulated Entities focus on particular cybersecurity risks and techniques to mitigate them. One panelist suggested that the SEC s proposed amendments to Regulation S-P could be viewed as guidance to help SEC-regulated Entities establish comprehensive information security programs. Most of the panelists seemed to agree that that the Framework for Improving Critical Infrastructure Cybersecurity, released February 12, 2014 by the NIST 30 is a source of sound guidance for SEC-regulated Entities in designing cybersecurity programs. Less than one month after the SEC roundtable, OCIE followed up with a risk alert indicating that 50 broker-dealers and registered investment advisers would be examined with an eye towards cybersecurity policies and procedures. 31 The OCIE risk alert included a sample information request that provides a glimpse into the types of policies, procedures and protocols that OCIE views as part of a cybersecurity program. This risk alert provides the most comprehensive SEC guidance on cybersecurity to date. Implicit in the OCIE sample information request is that SEC-regulated Entities should incorporate or use as a model the NIST framework or other published cybersecurity risk management process standards. The OCIE focus on the NIST framework can be viewed as a shift from crafting specific rules on cybersecurity to conveying expectations as to risk management activities around cybersecurity. The NIST framework is, after all, essentially a risk management framework tailored to cybersecurity activities. The framework consists of three main areas: core activities, implementation tiers and a framework profile. The NIST framework establishes that the crux of expected cybersecurity activities would include identification (or risk assessments), protection activities (or risk mitigation), detection activities (or monitoring), response activities and recovery activities. Each area is further divided into subgroups, which makes the framework inherently scalable by allowing an organization to implement only those areas that are relevant to it. Through the use of implementation tiers and framework profiles, an organization may use the framework to assess the organization s current profile and create a target profile and plan for transitioning from the current state to the desired state. Consistent with the NIST framework, the OCIE sample information request is organized around assessment activities, including: (1) assessment of technology assets and risks, (2) cybersecurity protection activities, (3) specific risks associated with customer access, (4) specific risks associated with vendors and third parties, and (5) detection of unauthorized activity. With respect to assessment activities, OCIE appears to expect that firms are inventorying physical devices, systems, software platforms and applications. Such inventories should prioritize resources for protection. It also suggests that firms should

6 6 THE INVESTMENT LAWYER catalogue connections and data flows, including connections from external sources. It is expected that firms are already conducting periodic assessments of both cybersecurity and physical security, with documented findings. Firms should also be aware of any insurance coverage maintained for cybersecurity events, including the limitations of such coverage. The information request reminds us that SECregulated Entities should have written information security programs that conform to Regulation S-P, as well as Regulation S-ID (Identity Theft Red Flags Rules), if applicable, and that specifically address removable and portable media. The information request suggests that such programs should incorporate documentation of responsibilities for employees and managers with respect to cybersecurity, and that training for both employees and vendors with access to the firm s network should be documented. Note that for many SEC-regulated Entities these specific aspects of a written information security program may already be required under applicable state laws governing information security. As for protection activities, the OCIE sample information request solicits information pertaining to the following specific data security protection activities: providing written guidance and periodic training to employees concerning information security risks and responsibilities; maintaining controls to prevent unauthorized escalation of user privileges and lateral movement among network resources; restricting users access to those network resources only as necessary for their business functions; maintaining a segregated environment for testing and development of software and applications; preventing users from altering the baseline configuration of hardware and software without authorization; managing IT assets and performing regular system maintenance; maintaining controls to secure removable and portable media against malware and data leakage; maintaining protection against DDoS attacks for critical internet-facing IP addresses; maintaining a written data destruction policy; maintaining a written cybersecurity incident response policy; periodically testing the functionality of the firm s backup system; use of encryption; conducting periodic audits of compliance with the firm s information security policies. With respect to risks associated with customer transactions, many of the items in the OCIE sample information request relate to authentication procedures used when employees and customers access a SEC-regulated Entity s network. This, perhaps, portends some guidance or standards around authentication, similar to the FFIEC 2005 guidance entitled, Authentication in an Internet Banking Environment 32 and the supplement thereto issued in The OCIE sample information request also contains a number of information requests relative to hacking activity or attempted intrusions into a firm s network. Implicit in this request is that a firm is monitoring such activity and maintaining appropriate logs. In other words, there is an expectation that each firm is subjected to hacking attempts, but the awareness of such attacks and the responses thereto are what are critical. The Road Ahead With Regulation S-P as a starting point and the OCIE guidance and NIST framework being potential proxies for current SEC thinking, it appears the SEC may be moving toward a principles-based, risk management regime for cybersecurity. Accordingly, cybersecurity activities can no longer be viewed as issues confronting only compliance or information technology departments. Cybersecurity is increasingly viewed as an enterprise-wide concern that

7 VOL. 21, NO. 8 AUGUST needs to start at the board of directors of a firm and permeate throughout the organization. Future examination and enforcement actions may not be limited to discrete violations of Regulation S-P, but may take into account assessments of risk management activities addressing cybersecurity. In implementing cybersecurity plans, firms need to be careful to avoid silos. Given that cybersecurity will involve both the use of secure technology and training and compliance by natural persons, collaboration between information technology professionals and human resources professionals will be crucial. Moreover, input from operations professionals is also critical to ensure that any secure technologies adopted will be used and to avoid the development of shadow IT by operations professionals developing workarounds to firm technologies without organizational approval. The emergence of shadow IT may itself be a discrete risk that firms will be expected to assess at some point in the future. In any event, the guidance from regulators in this area is evolving rapidly to respond to the fast- changing nature of cybersecurity threats. The challenge for regulators is to devise a framework that allows firms to adapt their risk management programs rapidly without running afoul of discrete requirements. Messrs. Cadigan and Mahoney are partners in the Boston, MA office of K&L Gates LLP. NOTES 1 17 C.F.R (a) Fed. Reg (March 13, 2008) Fed. Reg (February 1, 2001) Fed. Reg. at Fed. Reg. at C.F.R (b) U.S.C. 1681a(d) U.S.C. 1681m(e); 17 Code Fed. Regs U.S.C. 1691a(d) C.F.R (d) C.F.R (a), 15 U.S.C. 1681a(t), 12 U.S.C. 461(b) C.F.R (b)(1), (3). 13 Mass. Gen. Laws. ch. 93H, 93I. 201 Code Mass. Regs et seq Code Mass. Regs , Code Fed. Regs c OCIE National Exam Program Risk Alert (September 29, 2011), available at: https://www.sec. gov/about/offi ces/ocie/riskalert-mastersubaccounts.pdf. 17 See 17 Code Fed. Regs c3-5(c)(iii). 18 FINRA Rule FR (August 28, 2009) Fed. Reg , (enumerating policies and procedures required, including safeguards for the protection of customer information and business continuity plans) (December 24, 2003). In imposing these requirements, the SEC Staff implied that business continuity requirements arise out of an investment adviser s fiduciary duties, noting: We believe that an adviser s fiduciary obligation to its clients includes the obligation to take steps to protect the clients interests from being placed at risk as a result of the adviser s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. 21 The Federal Financial Institutions Examination Council (FFIEC), which consists of the federal bank regulators, adopted guidance highlighting that information security and business continuity plans should recognize DDoS attacks as a risk and be designed to address such risks. See Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, available at: ec.gov/press/pdf/ffiec%20ddos%20 Joint%20Statement.pdf.

8 8 THE INVESTMENT LAWYER 22 In the Matter of LPL Financial Corporation Administrative Proceeding No (September 11, 2008). 23 In the Matter of Commonwealth Equity Services, LLP Administrative Proceeding No (September 29, 2009). 24 In the Matter of J.P. Turner & Company, LLC Administrative Proceeding No (July 17, 2009). 25 See In the Matter of Frederick O. Kraus, SEC Administrative Proceeding , (April 7, 2011), In the Matter of David C. Levine SEC Adminis trative Proceeding , (April 7, 2011), In the Matter of Marc A. Ellis, SEC Administrative Proceeding , (April 7, 2011). 26 OCIE Examination Priorities for 2013 (January 9, 2014), available at: ces/ ocie/national-examination-program-priorities pdf, OCIE Examination Priorities for 2013 (February 21, 2013), available at: gov/about/offi ces/ocie/national-examination-programpriorities-2013.pdf, Examinations by the Securities and Exchange Commission s Office of Compliance Inspections and Examinations (February 2012), available here: ces/ocie/ ocieoverview.pdf. 27 OCIE Examination Priorities for 2013 (January 9, 2014), available at: ocie/national-examination-program-priorities-2014.pdf. 28 Examinations by the Securities and Exchange Commission s Office of Compliance Inspections and Examinations at 33 (February 2012). 29 A transcript is available at: light/cybersecurity-roundtable/cybersecurity-round table-transcript.txt. 30 Available at: upload/cybersecurity-framework final.pdf. 31 OCIE National Exam Program Risk Alert (April 15, 2014), available at: ment/cybersecurity+risk+alert++%2526+appen dix pdf. 32 Available at: ec.gov/pdf/authentication_ guidance.pdf. 33 Available at: ec.gov/pdf/auth-its- Final% %20(FFIEC%20Formated).pdf. Copyright 2014 CCH Incorporated. All Rights Reserved Reprinted from The Investment Lawyer August 2014, Volume 21, Number 8, pages 9 16, with permission from Aspen Publishers, Wolters Kluwer Law & Business, New York, NY, ,

Cybercrime and Regulatory Priorities for Cybersecurity

Cybercrime and Regulatory Priorities for Cybersecurity NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

Attachment A. Identification of Risks/Cybersecurity Governance

Attachment A. Identification of Risks/Cybersecurity Governance Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP

More information

Cybersecurity Issues for Community Banks

Cybersecurity Issues for Community Banks Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street

More information

SEC Cybersecurity Findings May Establish De Facto Standard

SEC Cybersecurity Findings May Establish De Facto Standard Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto

More information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)

More information

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness

More information

White Paper on Financial Industry Regulatory Climate

White Paper on Financial Industry Regulatory Climate White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during

More information

CYBERSECURITY EXAMINATION SWEEP SUMMARY

CYBERSECURITY EXAMINATION SWEEP SUMMARY This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Client Update SEC Releases Updated Cybersecurity Examination Guidelines Client Update September 18, 2015 1 Client Update SEC Releases Updated Cybersecurity Examination Guidelines NEW YORK Jeremy Feigelson jfeigelson@debevoise.com Jim Pastore jjpastore@debevoise.com David Sarratt

More information

Memorandum. SEC Risk Alert. May 13, 2015

Memorandum. SEC Risk Alert. May 13, 2015 Memorandum SEC and FINRA Report on Cybersecurity Sweep Examinations Broker-Dealers Better Positioned than Advisers; SEC Issues Cybersecurity Guidance Update May 13, 2015 The SEC issued a National Exam

More information

Client Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00

Client Advisory October 2009. Data Security Law MGL Chapter 93H and 201 CMR 17.00 Client Advisory October 2009 Data Security Law MGL Chapter 93H and 201 CMR 17.00 For a discussion of these and other issues, please visit the update on our website at /law. To receive mailings via email,

More information

retained in a form that accurately reflects the information in the contract or other record,

retained in a form that accurately reflects the information in the contract or other record, AL 2004 9 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Electronic Record Keeping TO: Chief Executive Officers of All National Banks, Federal Branches and Agencies,

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed

More information

DFLIVERY VIA SECURE EMAIL

DFLIVERY VIA SECURE EMAIL UNITED STATES SECURITIES AND EXCHANGE COMMISSION PHILADELPHIA REGIONAL OFFICE One Penn Center 1617 JFK Boulevard, Suite 520 Philadelphia, Pennsylvania 19103 June 10,2014 DFLIVERY VIA SECURE EMAIL. Chief

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Navigating the New MA Data Security Regulations

Navigating the New MA Data Security Regulations Navigating the New MA Data Security Regulations Robert A. Fisher, Esq. 2009 Foley Hoag LLP. All Rights Reserved. Presentation Title Data Security Law Chapter 93H Enacted after the TJX data breach became

More information

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Cybersecurity..Is your PE Firm Ready? October 30, 2014 Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services

More information

Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance?

Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance? Featured Article Federal Red Flag and Related Identity Theft Prevention Rules: Is Your Organization in Compliance? Article contributed by: Nancy L. Perkins, Arnold & Porter LLP As of November 1, 2008,

More information

The Problems With SEC s Cybersecurity Approach

The Problems With SEC s Cybersecurity Approach Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com The Problems With SEC s Cybersecurity Approach Law360,

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for

More information

California State University, Sacramento INFORMATION SECURITY PROGRAM

California State University, Sacramento INFORMATION SECURITY PROGRAM California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...

More information

UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION

UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION SECURITIES EXCHANGE ACT OF 1934 Release No. 60733 / September 29, 2009 INVESTMENT ADVISERS ACT OF 1940 Release No. 2929 / September

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Cybersecurity Risks, Regulation, Remorse, and Ruin

Cybersecurity Risks, Regulation, Remorse, and Ruin Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross

More information

PROPOSED INTERPRETIVE NOTICE

PROPOSED INTERPRETIVE NOTICE August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC

More information

Cybersecurity and internal audit. August 15, 2014

Cybersecurity and internal audit. August 15, 2014 Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

More information

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP

Delaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Page 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Page 1. Copyright 2009. MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved. Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Top Ten Technology Risks Facing Colleges and Universities

Top Ten Technology Risks Facing Colleges and Universities Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology

More information

RANDOLPH COUNTY PUBLIC WORKS. Identity Theft Prevention Program. Adopted September 1, 2009 Effective beginning September 1, 2009

RANDOLPH COUNTY PUBLIC WORKS. Identity Theft Prevention Program. Adopted September 1, 2009 Effective beginning September 1, 2009 RANDOLPH COUNTY PUBLIC WORKS Identity Theft Prevention Program Adopted September 1, 2009 Effective beginning September 1, 2009 I. PROGRAM ADOPTION The Randolph County Public Works Department ( the Department

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00) May 15, 2009 LLP US Information Security Framework Historically industry-specific HIPAA Fair Credit Reporting

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

Identity theft continues to make headlines as evidenced by the

Identity theft continues to make headlines as evidenced by the Investment Advisers Must Ramp Up Identity Theft Prevention Efforts By Bibb L. Strench Bibb L. Strench is Counsel at Seward & Kissel s Washington, D.C. office. He provides advice to registered investment

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579

IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS. Boston, MA 02110 Richmond, Virginia 23219 Tel. (617) 502.8238 Tel. (804) 783.7579 IDENTITY THEFT: DATA SECURITY FOR EMPLOYERS Daniel J. Blake, Esq. Vijay K. Mago, Esq. LeClairRyan, A Professional Corporation LeClairRyan, A Professional Corporation One International Place, Eleventh Floor

More information

CITY OF ANDREWS IDENTITY THEFT PREVENTION PROGRAM

CITY OF ANDREWS IDENTITY THEFT PREVENTION PROGRAM CITY OF ANDREWS IDENTITY THEFT PREVENTION PROGRAM Approved: February 26, 2010 Reviewed: March 18, 2015 I. PROGRAM ADOPTION The City of Andrews ( Utility ) developed this Identity Theft Prevention ( Program

More information

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups

More information

Data Breach Response Planning: Laying the Right Foundation

Data Breach Response Planning: Laying the Right Foundation Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

More information

The SEC s Initial Involvement: Encouraging Disclosures. From Comment Letters to Enforcement

The SEC s Initial Involvement: Encouraging Disclosures. From Comment Letters to Enforcement SEC ENFORCEMENT The SEC s Two Primary Theories in Cybersecurity Enforcement Actions By Daniel F. Schubert, Jonathan G. Cedarbaum and Leah Schloss WilmerHale Cyber attacks are increasingly common and affect

More information

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs 1 Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs NEW YORK Byungkwon Lim blim@debevoise.com Gary E. Murphy gemurphy@debevoise.com Michael J. Decker mdecker@debevoise.com

More information

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

CHAPTER 2016-138. Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 CHAPTER 2016-138 Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033 An act relating to information technology security; amending s. 20.61, F.S.; revising the

More information

NOTES. Cyber Security

NOTES. Cyber Security S Cyber Security Cyber incidents can result from deliberate attacks or unintentional events. Cyber attacks include gaining unauthorized access to digital systems for purposes of misappropriating assets

More information

Appendix VIII SAS 70 Examinations of EBT Service Organizations

Appendix VIII SAS 70 Examinations of EBT Service Organizations Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service

More information

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS Introduction Massachusetts regulations set forth minimum requirements for both the protection of personal information and the electronic storage or

More information

RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009

RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009 RANDOLPH COUNTY EMERGENCY SERVICES & TAX DEPARTMENT Identity Theft Prevention Program Adopted August 3, 2009 Effective beginning August 1, 2009 I. PROGRAM ADOPTION The Randolph County Emergency Services

More information

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

Substantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940

Substantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940 Substantive Requirements for a Registered Investment Adviser under the U.S. Investment Advisers Act of 1940 Alternative investment fund managers and other investment advisory firms that are registered

More information

UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION

UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION UNITED STATES OF AMERICA Before the SECURITIES AND EXCHANGE COMMISSION INVESTMENT ADVISERS ACT OF 1940 Release No. 4204 / September 22, 2015 ADMINISTRATIVE PROCEEDING File No. 3-16827 In the Matter of

More information

Automation Suite for. 201 CMR 17.00 Compliance

Automation Suite for. 201 CMR 17.00 Compliance WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

Travis County Water Control & Improvement District No. 17. Identity Theft Prevention Program. Effective beginning November 20, 2008

Travis County Water Control & Improvement District No. 17. Identity Theft Prevention Program. Effective beginning November 20, 2008 Travis County Water Control & Improvement District No. 17 Identity Theft Prevention Program Effective beginning November 20, 2008 I. PROGRAM ADOPTION The Travis County Water Control and Improvement District

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

Massachusetts Identity Theft/ Data Security Regulations

Massachusetts Identity Theft/ Data Security Regulations Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.

More information

Fortinet Solutions for Compliance Requirements

Fortinet Solutions for Compliance Requirements s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized

More information

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Security Framework Information Security Management System

Security Framework Information Security Management System NJ Department of Human Services Security Framework - Information Security Management System Building Technology Solutions that Support the Care, Protection and Empowerment of our Clients JAMES M. DAVY

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

RANDOLPH COUNTY HEALTH DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009

RANDOLPH COUNTY HEALTH DEPARTMENT. Identity Theft Prevention Program. Adopted August 3, 2009 Effective beginning August 1, 2009 RANDOLPH COUNTY HEALTH DEPARTMENT Identity Theft Prevention Program Adopted August 3, 2009 Effective beginning August 1, 2009 I. PROGRAM ADOPTION The Randolph County Health Department ( the Department

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

OCIE CYBERSECURITY INITIATIVE

OCIE CYBERSECURITY INITIATIVE Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS?

DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? HEALTH WEALTH CAREER DON T BE A VICTIM! IS YOUR ORGANIZATION PROTECTED FROM CYBERSECURITY THREATS? FREEMAN WOOD HEAD OF MERCER SENTINEL NORTH AMERICA GREGG SOMMER HEAD OF OPERATIONAL RISK ASSESSMENTS MERCER

More information

Office of Inspector General

Office of Inspector General DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,

More information

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C. Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises Appendix Key Areas of Concern i. Inadequate coverage of cybersecurity risk assessment exercises The scope coverage of cybersecurity risk assessment exercises, such as cybersecurity control gap analysis

More information

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02

SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02 Intelligize // 02 As is tradition, at the beginning of the year, the U.S. Securities and Exchange Commission outlined both its current state of affairs and annual goals for maintaining proper compliance

More information

Information Shield Solution Matrix for CIP Security Standards

Information Shield Solution Matrix for CIP Security Standards Information Shield Solution Matrix for CIP Security Standards The following table illustrates how specific topic categories within ISO 27002 map to the cyber security requirements of the Mandatory Reliability

More information