TEXAS WORKFORCE COMMISSION
|
|
- Alicia Stokes
- 7 years ago
- Views:
Transcription
1 TEXAS WORKFORCE COMMISSION Enterprise Information Security Program It is the policy of the Texas Workforce Commission that the Commission and its employees will protect the Information Resources (IR) of the Commission in accordance with the Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202 Information Security Standards and the Information Resources Management Act (Texas Government Code Chapter 2054). The Commission will also protect the IR of the Commission in accordance with other applicable state and federal laws.
2 Information Security Program Purpose The Information Security Program (ISP) is established to provide a consolidated security environment and requirements for those Information Technology (IT) systems and resources currently owned, or acquired in the future, and under the ownership or the direct authority of the Texas Workforce Commission. In addition, through the ISP, specific responsibilities and behaviors are identified and expected for all users of TWC s IT systems and resources. The ISP identifies, establishes and documents security controls that support the authorization of this ISP and supplement, compliance with state and federal policies, assessment reporting and audit responses. As such, the ISP is revised and updated to support deployment of new technologies, respond to legislative or administrative policy changes and to address new and developing threats to IT assets. TWC s ISP is an enterprise effort designed to protect the organization s business interested, personnel and public by ensuring the confidentiality, integrity and availability of information resources and services. To achieve this, four primary areas are focused on: user education and training, information systems accreditation, intrusion protection and detection, and standards, guidelines and procedures. However, these are not all-inclusive and all areas of IT security are within the scope of the ISP. By emphasizing the importance of IT security, there will be a significant impact on the effectiveness of IT security within TWC. By standardizing on a consolidated approach to security policies, standards, guidelines and procedures, TWC will have simplified IT security management while ensuring appropriate safeguards to IT assets and creating a consistent security environment throughout the TWC enterprise. Importance Maintenance of Trust The public and employers of the State of Texas entrust large amounts of information to TWC on a daily basis. Compliance with simplified and standardized security policies, standards and guidelines will enhance the protection of this information including the information resources of the State of Texas and will enforce the reputation of TWC as an institution deserving of this trust. Continued Operations TWC is committed to the delivery of its services through the effective use of technology, information and automation. Compliance with information security standards will ensure the continuous availability and integrity of the technological assets critical to its ability to perform its mission. Protecting Investments TWC information resources represent a large financial investment in technologies and in information that cannot be easily replicated. These resources are critical to the mission of TWC and the State and must be protected. Texas Workforce Commission - Information Security. Enterprise Information Security Program p. 2 of 7
3 Compliance TWC information security policies, standards, guidelines and procedures are designed to ensure the highest levels of compliance with government requirements and best business practices. These include, but are not limited to: Texas Administrative Code, Title 1, Part 10, Chapter 202, Information Security Standards Title 20, CFR, Section and 603.7, Protection of Confidentiality Public Law , Computer Security Act of 1987 Federal Information Security Management Act of 2002 (FISMA) Best Practices In addition, particular attention is paid to recommendations of the National Institute of Standards and Technology (NIST) and International Standards Organization (ISO). Mission The Texas Workforce Commission is committed to creating and maintaining an environment that protects its information resources from accidental or intentional unauthorized use, modification, disclosure, destruction, or denial of services resulting from internal failure, human error, attack, or natural catastrophe. In order to meet this commitment, information security policies and practices are developed that reflect business and industry best practices, support compliance with applicable rule and law and hold executives, managers and all resource users accountable. Principles The following principles guide the development and implementation of Texas Workforce Commission information security policies, standards, guidelines and practices: Information is: A critical asset that must be protected, and Restricted to authorized personnel for authorized use. Information security is: A cornerstone of maintaining public trust, and is A business issue not solely a technical issue, and is Risk-based, cost effective, and aligned with business goals and objectives, and is Aligned with TWC priorities, best business practices and compliance requirements, and is Directed by policy but implemented by business owners, and most importantly Information Security is everyone s business. Texas Workforce Commission - Information Security. Enterprise Information Security Program p. 3 of 7
4 Structure The TWC Enterprise Security Program includes, but is not limited to, the following subprograms: Information Security Policies, Standards, Guidelines and Procedures. The creation, evaluation, implementation and oversight of computer security policies, standards, guidelines and procedures to support TWC Enterprise-wide information security programs that incorporate best business practices. Information Security Awareness. Management and guidance to ensure that all employees are aware of their security responsibilities and the secure use of TWC information resources. Certification and Accreditation. Provide business impact assessments by which the sensitivity and criticality of each resource is determined and the appropriate security requirements are identified. Provide security evaluation and management approval processes to ensure identified information resources are secure at levels appropriate to their criticality and sensitivity designation based on identified risks. Identify any residual risks prior to any information resource being placed into production and, periodically, over the life of the resource. Identify and implement requirements for periodic testing and evaluation of the effectiveness of protection mechanisms. Security Architecture. In cooperation with programming, development, operations and other functional area staff, manage and develop the security architecture to ensure the confidentiality, integrity and availability of TWC information resources. Review, evaluate and recommend security technologies for implementation. Make recommendations for the deployment of new security products in a responsible manner. Security Administration. In consultation with the appropriate functional areas provide overall policy and management to ensure system access permissions are appropriate to the job function, and granted or removed in a timely manner. Network Security. In consultation with appropriate functional areas provide overall policy and consulting support for TWC networks. Determine criteria for the evaluation of firewalls; recommend encryption solutions, review servers, business partner connectivity and appropriate public access. Business Continuity and Contingency Planning. In consultation with the appropriate functional areas provide policy support for effective planning to assure continued business operations under adverse conditions and situations. Information Security Incident Management. In cooperation with the appropriate areas of authority provide policy and consulting support for detection, responding to, and reporting information security incidents. Receive and track information security incident reports through resolution, escalate serious incidents, and incorporate lessons-learned into ongoing awareness and training programs. Provide support, as requested, in response to any information security incident. Compliance. Provide consulting support on industry and government best practices concerning inspections and evaluations, recommend remedial actions to address any significant deficiencies. Conduct security compliance reviews. Provide audit and other support to all internal and external oversight agencies and authorities. Texas Workforce Commission - Information Security. Enterprise Information Security Program p. 4 of 7
5 Persons Affected Information Resources This ISP with its associated policies, standards, guidelines and procedures apply to all information, in any form, related to Texas Workforce Commission business activities, employees, or customers, that has been created, acquired, or disseminated using the Texas Workforce Commission s resources, name, or funding. These policies apply to all technologies associated with the creation, collection, processing, storage, transmission, analysis, and disposal of information. These policies, standards, guidelines and procedures also apply to all information systems, applications, products, services, telecommunications networks, and related resources, which are sponsored by, operated on behalf of, or developed for the benefit of the Texas Workforce Commission. Organizations and Personnel These policies, standards, guidelines and procedures apply to all Texas Workforce Commission components and personnel, which include Texas Workforce Commission employees, Local Workforce Development Boards, contractors, vendors, business partners, and any other authorized users of non-public Texas Workforce Commission information systems, applications, telecommunication networks, data, and related resources. Responsibilities The state agency head has ultimate responsibility for all technology functions. These responsibilities, as allowed by the Texas Administrative Code, are delegated, in lieu of other written delegations, to certain agency functional area staff as follows: Director, Information Technology The Director, Information Technology or his designee, is the agency official responsible for developing and maintaining an agency-wide (Enterprise) information security program and has the following responsibilities for system security planning: Designates a Chief Information Security Officer who shall carry out the Director s responsibilities for system security planning, Oversees the development and maintenance of information security policies, procedures and controls to address system security planning, Oversees the management of identification, implementation and assessment of common security controls, Ensures that personnel with significant responsibilities for system security plans are adequately trained, and Ensures that sufficient financial resources are available to comply with federal and state regulations. Director, Data Processing The Director, Data Processing is the agency official with operational authority for specified information and responsibility for establishing the controls for the generation, collection, processing, dissemination and disposal of that information. The Director, or his designee, has the following responsibilities related to system security plans: Establish rules related to appropriate use and protection of TWC data and/or infrastructure, Texas Workforce Commission - Information Security. Enterprise Information Security Program p. 5 of 7
6 Provides input to systems/data owners related to security requirements and controls, Oversees access management including privileges and rights to data and systems, and Oversees the identification and assessment of common security controls. Chief Information Security Officer The Chief Information Security Officer (CISO) is the senior agency information security official and is the designee for system security responsibilities for the Director, Information Technology and the Director, Data Processing. The CISO also serves as the primary liaison to Information Owners and Data Custodians. The CISO is responsible for the implementation and oversight of the agency Information Security Program. The CISO has the following responsibilities: Carries out the Director, Information Technology s responsibilities for system security planning, Carries out the Director, Data Processing s responsibilities for system security planning, Serves as the Information Security Officer for the agency as required by the Texas Administrative Code, Coordinates the development, review, acceptance, implementation and enforcement of system security plans with appropriate staff, Coordinates the identification, implementation and assessment of security controls, Assists operational/functional area information security staff in the identification, implementation and assessment of security controls, and Coordinates the development and maintenance of the agency system security program. Information (Systems) Owners The Information (Systems) Owners are defined by the Texas Administrative Code as the person responsible for a business function and for determining controls and access to information resources supporting that business function. The Owners are responsible, in cooperation with all appropriate agency staff, for: Classifying business functional information, Establishing appropriate controls for data classifications, Approve access and formally assign custody of information resources, Determine the value of an information assets, Specify data control requirements, Confirm that controls are in place to ensure the accuracy, authenticity and integrity of data, Texas Workforce Commission - Information Security. Enterprise Information Security Program p. 6 of 7
7 Ensure compliance with all applicable controls, Assign custody of information resource assets and provide appropriate authority for the implementation of controls and procedures, Review all access lists based on documented security risk management decisions, and Communicate any discovery of situations and/or events which may have an impact on areas of systems security to the office of the CISO as appropriate. This includes, but is not limited to, all potential and/or actual breaches of IT assets, loss of IT assets, and unauthorized access or alteration, theft or disclosure of information resources. Rules of Behavior All users of non-public Texas Workforce Commission Information Resources are required to exercise appropriate caution in the use of those resources in order to assure the highest levels of protection to networks, systems and data held in trust by The Texas Workforce Commission. All users of non-public Texas Workforce Commission Information Resources must sign, and have on file, the appropriate Information Resource Usage Agreement for their user category. The Information Resources Usage Agreement clearly delineates user s responsibilities and expected behavior when making use of any non-public Texas Workforce Commission Information Resource. The Information Resources Usage Agreement clearly states the consequences of inappropriate behavior or noncompliance with system security policy and procedure. The Information Resources Usage Agreement is made available to all users prior to gaining access to any non-public TWC Information Resource. These rules of behavior are not a complete copy of the security policies, standards and guidelines of TWC, but rather they cover at a high level only those controls and behavioral expectations related to: Access and access protection/management Copyright protections, approved software, illegal installations Official vs. unofficial use of state resources/limited personal use Expectations of privacy and/or No expectations of privacy Individual accountability and responsibility Password usage Protection of privacy and confidentiality Asset Protections Data Protections Clear Screen Clear Desk Protections All users of non-public Texas Workforce Commission information resources shall have access to the complete Information Security Program which includes the most current Program, Policy, Standards and Guidelines documents. The Information Security Program, Policy, and Standards and Guidelines shall be the document(s) of authority in any decision making process related to the security of TWC Information Resources. Texas Workforce Commission - Information Security. Enterprise Information Security Program p. 7 of 7
Information Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationWright State University Information Security
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
More informationIssue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationOffice of Inspector General
DEPARTMENT OF HOMELAND SECURITY Office of Inspector General Security Weaknesses Increase Risks to Critical United States Secret Service Database (Redacted) Notice: The Department of Homeland Security,
More informationTitle: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationPBGC Information Security Policy
PBGC Information Security Policy 1. Purpose. The Pension Benefit Guaranty Corporation (PBGC) Information Security Policy (ISP) defines the security and protection of PBGC information resources. 2. Reference.
More informationGuideline for Roles & Responsibilities in Information Asset Management
ISO 27001 Implementer s Forum Guideline for Roles & Responsibilities in Information Asset Management Document ID ISMS/GL/ 003 Classification Internal Use Only Version Number Initial Owner Issue Date 07-08-2009
More informationELECTRONIC INFORMATION SECURITY A.R.
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationCHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident
More informationNorwich University Information Assurance Security Policy. Final Version 10.0 for Implementation
Norwich University Information Assurance Security Policy Final Version 10.0 for Implementation Table of Contents Norwich University... 0 Information Assurance Security Policy... 0 1.0 Introduction... 2
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationCONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT
CONSOLIDATED RECORDS MANAGEMENT SYSTEM (CRMS) USER AGREEMENT I. PURPOSE STATEMENT The TENNESSEE FUSION CENTER (TFC) is an initiative of the Tennessee Bureau of Investigation (TBI) and the Department of
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More informationADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities
Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:
More informationSubject: Safety and Soundness Standards for Information
OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie
More informationThis procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.
Privacy Breach No.: 6700 PR2 Policy Reference: 6700 Category: Information Management Department Responsible: Privacy and Records Management Current Approved Date: 2012 May 01 Objectives This procedure
More informationINFORMATION TECHNOLOGY RISK MANAGEMENT PLAN
10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationPolicy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:
Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationInformation Security: Roles, Responsibilities, and Data Classification. Technology Services 1/4/2013
Information Security: Roles, Responsibilities, and Data Classification Technology Services 1/4/2013 Roles, Responsibilities, and Data Classification The purpose of this session is to: Establish that all
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationTABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7
PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255
More informationDIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is
More informationDIVISION OF INFORMATION SECURITY (DIS)
DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Information Systems Acquisitions, Development, and Maintenance v1.0 October 15, 2013 Revision History Update this table every time a new
More informationTEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL
TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Computer and Network Security Policy Policy Number: 04.72.12 Effective Date: November 4, 2003 Issuing Authority: Office of the Vice President for
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY P R O C E D U R A L M E M O R A N D U M 7 0-05 D e p a r t m e n t o f I n f o r m a t i o n T e c h n o l o g y I n f o r m a t i o n S e c u r i t y O f f i c e
More informationIntel Enhanced Data Security Assessment Form
Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationCITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard
CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information
More informationHEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS
Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationHengtian Information Security White Paper
Hengtian Information Security White Paper March, 2012 Contents Overview... 1 1. Security Policy... 2 2. Organization of information security... 2 3. Asset management... 3 4. Human Resources Security...
More informationFISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS
TABLE OF CONTENTS General Topics Purpose and Authorities Roles and Responsibilities Policy and Program Waiver Process Contact Abbreviated Sections/Questions 7.1 What is the purpose of this chapter? 7.2
More informationWho Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5
Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationLegislative Language
Legislative Language SEC. 1. COORDINATION OF FEDERAL INFORMATION SECURITY POLICY. (a) IN GENERAL. Chapter 35 of title 44, United States Code, is amended by striking subchapters II and III and inserting
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationM E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General
M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationSTATE OF NEW JERSEY Security Controls Assessment Checklist
STATE OF NEW JERSEY Security Controls Assessment Checklist Appendix D to 09-11-P1-NJOIT P.O. Box 212 www.nj.gov/it/ps/ 300 Riverview Plaza Trenton, NJ 08625-0212 Agency/Business (Extranet) Entity Response
More informationC. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
More informationDelphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11
Delphi Information 3 rd Party Security Requirements Summary Classified: Public 5/17/2012 Page 1 of 11 Contents Introduction... 3 Summary for All Users... 4 Vendor Assessment Considerations... 7 Page 2
More informationInformation Technology Policy
ITP Number ITP-SEC024 Category Security Contact RA-ITCentral@pa.gov Information Technology Policy IT Security Incident Policy Effective Date August 2, 2012 Supersedes Scheduled Review Annual 1. Purpose
More informationNew River Community College. Information Technology Policy and Procedure Manual
New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management
More informationPrivacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015
For Person Authentication Service (PAS) Date: January 9, 2015 Point of Contact and Author: Hanan Abu Lebdeh Hanan.Abulebdeh@ed.gov System Owner: Ganesh Reddy Ganesh.Reddy@ed.gov Office of Federal Student
More informationUnited States Citizenship and Immigration Services (USCIS) Enterprise Service Bus (ESB)
for the United States Citizenship and Immigration Services (USCIS) June 22, 2007 Contact Point Harry Hopkins Office of Information Technology (OIT) (202) 272-8953 Reviewing Official Hugo Teufel III Chief
More informationDUUS Information Technology (IT) Incident Management Standard
DUUS Information Technology (IT) Incident Management Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-E 1.0 Purpose and Objectives Computer systems
More informationDHHS Information Technology (IT) Access Control Standard
DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationFortinet Solutions for Compliance Requirements
s for Compliance Requirements Sarbanes Oxley (SOX / SARBOX) Section / Reference Technical Control Requirement SOX references ISO 17799 for Firewall FortiGate implementation specifics IDS / IPS Centralized
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationDocument Title: System Administrator Policy
Document Title: System REVISION HISTORY Effective Date:15-Nov-2015 Page 1 of 5 Revision No. Revision Date Author Description of Changes 01 15-Oct-2015 Terry Butcher Populate into Standard Template Updated
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationUnited States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program
The National Science Foundation Office of Polar Programs United States Antarctic Program Information Resource Management Directive 5000.01 The USAP Information Security Program Organizational Function
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationBPA Policy 434-1 Cyber Security Program
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N BPA Policy Table of Contents.1 Purpose & Background...2.2 Policy Owner... 2.3 Applicability... 2.4 Terms & Definitions... 2.5 Policy... 5.6 Policy
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationAPPROVED BY: DATE: NUMBER: PAGE: 1 of 9
1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationIT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationGeneral HIPAA Implementation FAQ
General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationGENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS
GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...
More informationHHS Information System Security Controls Catalog V 1.0
Information System Security s Catalog V 1.0 Table of Contents DOCUMENT HISTORY... 3 1. Purpose... 4 2. Security s Scope... 4 3. Security s Compliance... 4 4. Security s Catalog Ownership... 4 5. Security
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationStandard Operating Procedure Information Security Compliance Requirements under the cabig Program
Page 1 of 9 Pages Standard Operating Procedure Information Security Compliance Requirements under the cabig Program This cover sheet controls the layout and components of the entire document. Issued Date:
More informationPublication 805-A Revision: Certification and Accreditation
Postal Bulletin 22358 (3-7-13) Policies, Procedures, and Forms Updates Publication 805-A Revision: Certification and Accreditation Effective immediately, the January 2013 edition of Publication 805-A,
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More information