1 Page 1 of 10 Table of Contents 1 Purpose Entities Affected by These Guidelines Definitions Guidelines Electronic Sanitization and Destruction When is Sanitization Warranted? Contacts Applicable Federal and State Laws and Regulations Related Documents... 9
2 Page 2 of 10 1 Purpose Computers and other forms of electronic storage media are often reassigned to another employee within a department, transferred to another campus department or division, or disposed or donated at the end of its useful life. Sometimes this equipment contains protected data, such as confidential, personal, medical, health insurance, or proprietary information, that should not be seen or used by others. It s imperative that this protected data be removed from the equipment prior to the reallocation or disposal. In addition, operating system and application software must be removed prior to donation or disposal in order for the University to remain compliant with software licensing agreements. This document presents the guidelines to follow to ensure that protected data is permanently removed from a personal computer, workstation, server, PDA or portable electronic storage media in such a way that the data is deliberately made non-recoverable. Additionally, this document discusses when to sanitize disks and devices that may contain protected data. 2 Entities Affected by These Guidelines All University employees using any University-owned or issued memory device are responsible for notifying ITS or their appropriate Information Technology Consultant (ITC) before: Relocating, reassigning, donating, or disposing of any memory device that contains protected data; Returning defective memory devices under warranty to the manufacturer for replacement; Sending defective memory devices to a vendor or computer store for repair or data recovery. NOTE: These guidelines are intended to ensure memory devices are donated or disposed of safely. All employees must still adhere to all existing University policies and procedures related to equipment donation or disposal. The responsibilities of these guidelines apply to all department administrators who must ensure that data sanitization has occurred prior to the relocation, reassignment, donation, or disposition of electronic storage media. The technical aspects of these guidelines apply to all ITS Baseline Services personnel and campus Information Technology Consultants (ITCs) who are responsible for ensuring that memory devices are sanitized according to instructions outlined in ITS-1021-G User Guidelines for Data Sanitization. These guidelines apply to all computer systems issued to campus users through Baseline and all IT systems that store protected data on personal computers or attached storage devices. Personal computers include portable systems, desktops, and workstations. The system user or their ITC is responsible for making appropriate backups before releasing any equipment to ITS or the ITC for data sanitization.
3 Page 3 of 10 3 Definitions a) Confidential Information: In addition to the personal information listed below, examples of confidential information include the following: financial records, student educational records, physical description, home address, home phone number, grades, ethnicity, gender, employment history, performance evaluations, disciplinary action plans, or NCAA standings. Confidential information must be interpreted in combination with all information contained on the computer to determine whether a violation has occurred. A student may exercise the option to consider directory information, which is normally considered public information, as confidential per the Family Educational Records Privacy Act (FERPA). Directory information includes the student s: name, address, phone, dates of attendance, degrees received, major program, height and weight (if an athlete), address, enrollment status, campus, school, college, division, class standing, and awards. b) Data Sanitization: The process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device. A device that has been sanitized has no usable residual data and even advanced forensic tools should not ever be able to recover sanitized data. c) Disposition: A range of processes associated with implementing records/information retention, destruction, or transfer decisions that are documented in the records/information retention and disposition schedule or other authority. d) Electronic : Electronic or optical data storage media or devices that include, but are not limited to, the following: computer hard drives, magnetic disks, CDs, DVDs, flash drives, memory sticks, tapes and Personal Digital Assistants (PDAs e.g., Palm Pilots, Pocket PCs, and Smart phones). Also called memory devices. e) Health Insurance Information: An individual s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual s application and claims history, including any appeals records. f) Level 1 Confidential Data: Confidential data is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws. Confidential data is information whose unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees or customers. Financial loss, damage to the CSU s reputation and legal action could occur if data is lost, stolen, unlawfully shared, or otherwise compromised. Level 1 data is intended solely for use within the CSU and limited to those with a business need-to-know. Statutes, regulations, other legal obligations or mandates protect much of this information. Disclosure of Level 1 data to persons outside of the University is governed by specific standards and controls designed to protect the information.
4 Page 4 of 10 g) Level 2 Internal Use Data: Internal use information is data that must be protected due to proprietary, ethical, or privacy considerations. Although not specifically protected by statute, regulations, or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss, or deletion of information at this level could cause financial loss, damage to the CSU s reputation, violate an individual s privacy rights, or make legal action necessary. Non-directory educational information may not be released except under certain prescribed conditions. h) Memory Device: Devices that include, but are not limited to computer hard drives, magnetic disks, computer tapes, flash memory devices, CDs and DVDs, PDAs (Palm Pilots, Pocket PCs, and Smart phones), Zip disks, USB storage devices (flash drives, ipods, portable hard drives). i) Personal Information: California Civil Code defines personal information as: An individual s first name or first initial and last name in combination with any one or more of the following data elements: Social Security Number Driver s license or California Identification Card number Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual s financial account Medical information Health insurance information j) Portable Electronic : Includes, but not limited to, the following: CDs, CDRWs, DVDs, Zip disks, flash drives, floppy disks, i-pods, digital media players, and portable hard drives. k) Proprietary Information: Information that an individual or entity possesses, owns, or for which there are exclusive rights. Examples include: faculty research, copyrighted materials, white papers, research papers, business continuity and other business operating plans, messages, vitae, letters, confidential business documents, organization charts or rosters, detailed building drawings, and network architecture diagrams. Proprietary information, if lost or stolen, could compromise, disclose, or interrupt operations or embarrass the individual or the University. l) Protected Data: An all-encompassing term that includes any information defined herein as confidential, personal, proprietary, health insurance, or medical information. See Level 1 Confidential Data and Level 2 Internal Use Data. m) Record: Authentic official copy of a document deposited with a legally designated officer (Merriam-Webster Online: Records can be in any format (handwritten, printed, digital, etc.) and can be stored on paper, computer media, , hand-held peripherals, CDs, DVDs, wireless devices, video or audio tapes, films, microfilm, microfiche, or any other media. n) Shredder: A device that renders documents completely unreadable by slicing/mincing paper into fine pieces. Approved shredders should be NSA Level 5 compatible.
5 Page 5 of 10 4 Guidelines ITS and ITCs are solely responsible for: Performing the data sanitization process on University-owned or issued computers and electronic storage media. Signing the Electronic Data Sanitization Verification form. Submitting the signed copy to Property Management (for donations or disposal) or the requesting department (for reassignments and relocations), as appropriate. It is important to recognize that almost all operating system (OS) commands designed to delete data or format disks do not remove all the data. Such commands are only to free up the space that the deleted files consumed. Most of the actual file data remains on the disk or memory device and there are a number of forensics products that can recover these data. Therefore, unless vendor supplied operating system commands and utilities have been specifically designed to sanitize data, they should not be used for this purpose. OS commands and utilities that are capable of sanitizing data files or entire disks typically have names like secure erase, secure delete or secure empty trash. Options for these programs and utilities often allow a user to specify how many times the disk or data should be wiped (erased and rewritten). Not all OS vendors supply programs are capable of data sanitization. Some newer machines have standard data sanitization programs (e.g., the HP Disk Sanitizer included in the BIOS, which meets the Department of Defense (DOD) data sanitization standard). Removing an unsanitized hard drive prior to transferring, donating, or disposing of the computer or electronic storage device is not an acceptable practice. Hard drives are University property and as such, must follow the same procedures for equipment disposal. In addition, these hard drives can easily be lost, forgotten, or stolen, and the protected data could then be obtained by unauthorized individuals. If the hard drive is to be removed and replaced with a new one, the original hard drive must be sanitized prior to removal and storage. Alternatively, if the department is retaining the hard drive as an archival of important department files, all files and documents containing protected data must be encrypted. All campus users should take appropriate measures to safeguard protected data on their systems. This document also serves as a reference for individual departments to adopt a standard data sanitization process. 4.1 Electronic Sanitization and Destruction There is no way to use any operating system to effectively sanitize the same operating system disk. In other words, an operating system cannot securely erase the disk that it is running off of. One quasi-exception is that Macintosh systems may be booted from the OS installation CD or DVD, and then the Disk Utility application may be used to sanitize any attached disks. For detailed instructions on data sanitization for Apple Mac systems, refer to ITS-1021-G User Guidelines for Data Sanitization. For other operating systems, the means to securely remove protected data from disks can either be magnetic or physical destruction, or the use of specialized software utilities that make data unrecoverable. The method used will depend on the circumstances (i.e., transfer of custody, survey of assets, etc.). Magnetic destruction involves applying a strong magnetic field to the device that erases all data. Physical destruction involves drilling holes into the platters and controller cards. If a department has access to specialized tools, a more thorough approach can be taken such as either taking apart the disk and cutting the platters into small pieces or otherwise destroying the disk
6 Page 6 of 10 (e.g., incineration or crushing). Sanitization guidelines for specific types of devices are described in the following sections: a) Optical Media Destruction: CDs and DVDs that contain protected data need to be physically destroyed when they are no longer needed. Larger paper shredders can often do this, as can special CD/DVD destruction hardware. b) Removable Storage Devices Destruction: Removable storage devices that contain protected data need to be physically or magnetically destroyed when they are no longer needed. Most USB removable storage devices can be sanitized with sanitization tools such as Darik s Boot & Nuke (or similar products) or by physical destruction of the device. c) PDA and Smart Phone Sanitization and Destruction: Vendor software is not guaranteed to actually sanitize the memory in these devices and third-party products are more focused on encryption. It is difficult to be certain that a device has been securely sanitized. The recommended approach is to manually delete all stored information and then perform a manufacturer s hard reset to reset the device to factory state. 4.2 When is Sanitization Warranted? The following scenarios are intended to cover all possible circumstances that would require data sanitization. In all cases, the device is assumed to contain protected data and physical custody of the device is transferred. a) Custody of the Device is Transferred Within a College or Division: In this case, a device is transferred from one person to another who works in the same college / division and the new custodian has the same level of access to protected data. If the original device owner and the new owner have the same rights to view the protected data stored on the device, and there is written approval for the transfer from management, there is no need for data sanitization. The device may be transferred without removing any protected data. However, if the recipient is restricted from accessing the stored data, the files containing this data must be sanitized according to ITS-1021-G User Guidelines for Data Sanitization. b) Custody of the Device is Transferred to a Different College or Division: When a device is transferred from one person to another in a different college / division, all protected data on the device needs to be sanitized according to ITS-1021-G User Guidelines for Data Sanitization. c) The Device is Transferred for Disposal or is Transferred Off Campus: When a device is to be disposed of or transferred off campus, all data should be sanitized, whether or not it is known to contain any confidential data. In addition, the operating system and all software applications must be removed to ensure the campus remains compliant with software vendor licensing agreements. No system should leave the campus premises without all storage devices being either sanitized or removed. As part of the asset survey process, functional devices that are being disposed of are required to go through a physical destruction process as specified in ITS-1021-G User Guidelines for Data Sanitization.
7 Page 7 of 10 d) The Device is Defective: When a defective device is to be sent off campus for data recovery, the vendor must comply with all information security requirements for Third Party Service Providers and agree to sign the Third Party Vendor/Consultant Information Confidentiality/Non-Disclosure Agreement (NDA), available at or provide a signed vendor NDA that meets the requirements of the CSULA NDA. Approval from the Director of must be obtained before the transfer occurs. Note: The University has previously used Kroll Ontrack Data Recovery Inc., a worldwide company that has over 30 years experience in recovering lost or damaged data from computers, servers, and systems. They provide a comprehensive Non- Disclosure Agreement to hold confidential any and all data contained on the device they are servicing. Their Web site is located at As part of the asset survey process, defective devices that are being disposed of are required to go through a physical destruction process as specified in ITS-1021-G User Guidelines for Data Sanitization. e) Devices not Managed by ITS: It is expected that custodians of systems that are not managed by Baseline and ITS will consult with their assigned Information Technology Consultant (ITC) regarding the proper sanitization procedure. Individual custodians of such devices are responsible for ensuring that all devices turned in for recycling or transfer to a third party are properly sanitized and/or destroyed before the device leaves the campus. 5 Contacts a. For questions regarding specific department data sanitization procedures, contact the department administrator or Information Technology Consultant (ITC). b. For assistance in data sanitization, contact the ITS Help Desk at c. For assistance in encrypting files, contact your department s Information Technology Consultant (ITC). d. For a list of Academic Affairs ITCs, visit e. For a list of Administration and Finance ITCs, visit f. For questions regarding these guidelines or information security, contact IT Security and Compliance at g. Information about FERPA requirements is available online at
8 Page 8 of 10 6 Applicable Federal and State Laws and Regulations Federal Family Educational Rights and Privacy Act (FERPA) Gramm-Leach- Bliley Act 15 USC, Subchapter 1, Sec Health Insurance Portability & Accountability Act (HIPAA), 45 C.F.R. parts 160 & 164 State Title Family Educational Rights and Privacy Act (FERPA) A federal law that protects the privacy of student education records. Gramm Leach Bliley Act This is a federal law on the disclosure of nonpublic personal information. Standards for Privacy of Individually Identifiable Health Information ctions.pdf A federal law that protects the privacy of health records. Title SB 1386 California Personal Information Privacy Act, SB This bill modified Civil Code Section to require notification to individuals whose personal information is or is assumed to have been acquired by unauthorized individuals. California Civil Code Sections , , , California Civil Code Sections Government Code Sections California Civil Code Section , , , This is a state law that provides information on safeguarding personal information. California Civil Code Section Destruction of Customer Records This is a state law that identifies steps to be taken in the destruction of customer s records. State Records Management Act Information on the administration of state records.
9 Page 9 of 10 7 Related Documents ID/Control # CSULA Administrative Procedure 509 Title Property Survey Establishes the policy and procedures governing the accountability, control, inventory, movement, and other responsibilities for University property surveys. CSULA Administrative Procedure 507 Property Control Establishes the policy and procedures governing the accountability, control, inventory, movement, and other responsibilities for University property. CSULA Administrative Procedure 707 Record Retention and Disposition This document establishes procedures for the transfer of University records to the State Records Center, the retrieval of stored records, and the destruction of obsolete records. CSU Information Security Policy The California State University System-wide Information Security Policy This document provides policies governing CSU information assets. ITS-1005-G User Guidelines for Portable Electronic G_PortableElectronicStorageMedia.pdf These guidelines are intended to help students, faculty, and staff meet the University s accepted standards for protecting confidential information that is copied, downloaded, or stored on portable electronic storage media. ITS-1021-G ITS-8830 User Guidelines for Data Sanitization G_DataSanitization.pdf These guidelines define the appropriate data sanitization tools and procedures to meet security standards. Electronic Data Sanitization Verification Data Disposal Verfication.doc
10 Page 10 of 10 ID/Control # CSULA Gramm- Leach-Bliley Information Security Program Title This form must be completed to authenticate the data sanitization process for every electronic storage device prior to relocation, reassignment, donation, or disposition. Gramm-Leach-Bliley Information Security Program for CSULA The GLB Information Security Plan for CSULA. It serves as a guide for how information security is to be maintained at the campus.
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
Administrative Procedure Number: 707 Effective: 5/13/2011 Supersedes: INTERIM Page: 1 of 11 Subject: RECORDS RETENTION, MANAGEMENT, AND DISPOSITION PROGRAM 1.0. PURPOSE: 1.1. To establish and administer
POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University
Bedford County Tennessee Digital Media and Hardware Disposal Policy Date: 08.31.11 Approved By: Chris White Policy Number: 1 P age 1.0 INTRODUCTION 3 1.1 Authority. 3 1.2 Purpose.. 3 1.3 Scope 3 1.4 Background.
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
State of Vermont Digital Media and Hardware Disposal Standard Date: Approved by: Policy Number: 1.0 INTRODUCTION... 3 1.1 Authority... 3 1.2 Scope and Purpose:... 3 2.0 STANDARD... 3 2.1 Preface... 3 2.2
Page 1 of 9 TITLE: INFORMATION SECURITY: DEVICE AND MEDIA CONTROLS POLICY: Reasonable steps are taken to protect, account for, properly store, back up, encrypt and dispose of hardware, paper and electronic
Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
UMBC POLICY ON ELECTRONIC MEDIA DISPOSAL UMBC# X-1.00.05 I. POLICY STATEMENT Increasing amounts of electronic data are being transmitted and stored on computer systems and electronic media by virtually
Data Destruction and Sanitation Program Mobile (ON-SITE) Data Destruction/Shredding Services 1 Diversified Recycling utilizes state of the art equipment for their data destruction and eradication services.
SJSU Electronic Data Disposition Standard Page 1 Executive Summary University data is at risk as long as it is persistently stored on electronic media. This means that data must be properly cared for during
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: email@example.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
Information Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED
Information Security Policy Introduction The purpose of the is policy is to protect Rider University information resources from accidental or intentional unauthorized access, modification, or damage and
founded in 1872 LANDER UNIVERSITY Office of Information Technology Services LANDER UNIVERSITY STUDENT INFORMATION SECURITY AND PRIVACY PROCEDURE 2012 REVISION TABLE OF CONTENTS I. PRIVACY.....................................................
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine
Information Security Plan effective March 1, 2010 Section Coverage pages I. Objective 1 II. Purpose 1 III. Action Plans 1 IV. Action Steps 1-5 Internal threats 3 External threats 3-4 Addenda A. Document
Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140
The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training Introduction The HIPAA Security Rule specifically requires training of all members of the workforce.
CITY UNIVERSITY OF HONG KONG Handling Standard (Approved by the Information Strategy and Governance Committee in December 2013) PUBLIC Date of Issue: 2013-12-24 Document Control Document Owner Classification
Media Disposition and Sanitation Procedure Revision History Version Date Editor Nature of Change 1.0 11/14/06 Kelly Matt Initial Release Table of Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope...
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
Why Zak Enterprises? Information contained on the hard drives of retired computers must be destroyed properly. Failure to do so can result in criminal penalties including fines and prison terms up to 20
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
Page 1 Page 2 Page 3 Agenda Defining the Massachusetts Personal Data Security Law Becoming Compliant Page 4 Massachusetts Privacy Law Defining the Massachusetts Personal Data Security Law - 201 CMR 17.00
University of California, Merced Measures Regarding Litigation Holds and Preservation of Electronically Stored Information (ESI) Responsible Officials: Executive Vice Chancellor and Provost Vice Chancellor
Electronic Records Management Guidelines Contents Section 1: Authority... 1 Section 2: Purpose and Scope... 1 Section 3: Records Custodian Responsibilities... 2 Section 4: Information Systems that produce,
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. firstname.lastname@example.org www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
Protecting Personal Information A Business Guide Division of Finance and Corporate Securities Oregon Identity Theft Protection Act Collecting, keeping, and sharing personal data is essential to all types
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
Ohio Supercomputer Center Portable Security Computing No: Effective: OSC-09 05/27/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original Publication
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
CAYUGA COUNTY POLICY MANUAL Section 11 Subject: Electronic messaging and internet 1 Effective Date: 5/25/10; Res. 255-10 Supersedes Policy of: November 28, 2000 Name of Policy: County Computer Hardware-Software
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA PURPOSE PURPOSE This document provides guidance to offices about protecting sensitive customer and company information. The protection of Non-public Personal
Office of the Chief Information Officer Online File Storage BACKGROUND Online file storage services offer powerful and convenient methods to share files among collaborators, various computers, and mobile
Understanding Data Destruction and How to Properly Protect Your Business Understanding Data Destruction and How to Properly Protect Your Business I. Abstract This document is designed to provide a practical
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
Roxio Secure Solutions for Law Firms Law firms can easily protect sensitive data stored on CD, DVD, Blu-ray Disc and USB flash media with Roxio Secure Solutions Introduction Law firms and their clients
Destruction and Disposal of Sensitive Data Good Practice Guidelines Version: 3.0 Date: March 2015 1 Copyright 2015, Health and Social Care Information Centre. Contents 1. Introduction 3 1.2 Aims and Objectives
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
CCTM IA CLAIMS DOCUMENT (ICD) Data Eliminate Ltd DESTRUCTION OF DATA ON HARD DRIVES, COMPUTER STORAGE MEDIA AND HANDHELD DEVICES INCORPORATING WEEE RECYCLING MANAGEMENT Version 1 VENDOR DETAILS Data Eliminate
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
U.S. DEPARTMENT OF TRANSPORTATION FEDERAL AVIATION ADMINISTRATION National Policy Order 1830.9 A 09/18/2009 SUBJ; Cellular/Satellite Device Acquisition and Management 1. Purpose of this order. The Federal
Table of Contents: 000 Introductory Material 001 Introduction Western Oregon University v1.6 Please direct comments to: Bill Kernan, Chief Information Security Officer 100 Information Security Roles and
Payment Card Industry (PCI) Policy Manual Network and Computer Services Forward This policy manual outlines acceptable use Black Hills State University (BHSU) or University herein, Information Technology
POLICY AND GUIDELINES FOR THE MANAGEMENT OF ELECTRONIC RECORDS INCLUDING ELECTRONIC MAIL (E-MAIL) SYSTEMS 1. Purpose Establish and clarify a records management policy for municipal officers with respect
Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman, Department of Biomedical Informatics Vanderbilt University School
Securing Data on Portable Media www.roxio.com Contents 2 Contents 3 Introduction 4 1 The Importance of Data Security 5 2 Roxio Secure 5 Security Means Strong Encryption 6 Policy Control of Encryption 7
CLACKAMAS COUNTY EMPLOYMENT POLICY & PRACTICE (EPP) EPP # 59 Implemented: 05/20/10 Clerical Update: Appropriate Use Policy Technology & Information PURPOSE: To establish rules governing use of County information
Polk County Wisconsin DESTRUCTION/DISPOSAL OF CLIENT HEALTH INFORMATION Policy 601.I Effective Date: April 15, 2003 Current Revision Date: Policy It is the policy of Polk County to ensure the privacy and
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
Technology and Information Management Policies, Usage & Information First Edition Vers 1.0 6/11/15 je Technology and Information Management Access for users Each user at CEI HQ that has access to the network
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
BACKUP AND CONTIGENCY PLANS (DISASTER RECOVERY) PURPOSE The purpose of this policy is to describe the backup and contingency plans, including disaster recovery planning, that will be implemented to ensure
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices (Session ID: 152) Maureen Carver, Assistant Dean and Registrar, Law School, Villanova University Rita Garner, Registrar, Medical College of
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
Title: DPH Current Effective Date: September 22, 2003 Original Effective Date: April 14, 2003 Revision History: April 22, 2004 May 1, 2011 January, 2014 Purpose The purpose of the Division of Public Health
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,