Southwest Area Regional Transit District Information Security Plan 2012
|
|
- Derrick Roberts
- 8 years ago
- Views:
Transcription
1 Southwest Area Regional Transit District Information Security Plan 2012 Board Approved pending October 2012
2 Table of Contents 1 Introduction Objectives and Purpose Authorized Officials Information System Owner and Designated Support Contacts Policies and Procedures Access Control Awareness and Training Security Assessment and Authorization Contingency Planning Identification and Authentication Maintenance Physical and Environmental Protection Personnel Security System and Services Acquisition System and Information Integrity Strategic Goals and Objectives Information System Monitoring Visitor Control Security Processes Implement Physical and Environmental Protection for Mission Critical Information Systems Enhance User Authentication References Terms and Acronyms Appendix A Security Control Table Appendix B Acknowledgement of Information Security Policy Appendix C HHSC Data Use and Business Associate Agreement October 2012
3 1 Introduction Computer information systems and networks are an integral part of business at Southwest Area Regional Transit District (SWART). SWART has made a substantial investment in human and financial resources to create these systems and realizes the importance of creating effective administrative, technical and physical safeguards in order to protect customers non-public information. Information security is the protection of technology resources and data from a wide range of threats to ensure business continuity and minimize business risks. SWART will continue to implement policies, procedures and controls to ensure information security is achieved. 1.1 Objectives and Purpose The SWART Information Security Plan provides policies, procedures and security controls currently implemented and identifies information security areas which SWART will address in the near future. The policies and procedures have been established in order to: Ensure the security and confidentiality of our customer s information Protect investment against any anticipated threats or hazards to the security or integrity of our customer information Protect against unauthorized access within SWART systems to or use of customer information that could result in substantial harm or inconvenience to any of our customers Reduce business and legal risk Protect the good name of the agency 2 Authorized Officials The following is a list SWART s authorized officials and Third Party Support Contacts to ensure that all information security policies and plans are followed: Organization Name Title Phone Number SWART Sarah Cook General Manager SWART Cynthia Z. Administrative Specialist Rodriguez SWART Sylvia Uriegas Financial Specialist SWART Chris Molnar Automation Director Jive (Support) Shah Software (Support) Intuit (Support Venture Technologies (Support) EPV Group Marty Loya Project Manager Table 1 Contacts 3 October 2012
4 3 Information System Owner and Designated Support Contacts Owner System Type Designated Third Party Support Contact Operational Status (Operational/Under Development/Major Modifications) (SWART) Accounting / Finance MIP Software Operational Infrastructure IT Support Networking, Servers, Routers, Venture Technologies, Operational 4 Policies and Procedures Scheduling and Dispatching Transportation Operations Software Shah Software Operational Intuit Operational Website Intuit Operational Telephone System JIVE Operational Table 2 Information Systems This section addresses the current policies and procedures with corresponding security controls (in [ ]) contained in NIST Special Publication Revision 3. See Appendix A for list of Security Controls. 4.1 Access Control Access Control Policy and Procedures [AC-1] This SWART Information Security Plan provides management, staff, employees, and contractors information on policies addressing secure information related to clients. The confidentiality and integrity of data stored on agency computer systems must be protected by access controls to ensure that only authorized employees have access. This access shall be restricted to only those capabilities that are appropriate to each employee's job duties. Any person who has access to client information is asked to review the SWART Information Security Plan and sign the Acknowledgement of Information Security Policy included in Appendix B Account Management [AC-2] All systems utilized by SWART have been set-up with separate admin and user accounts. Under this control, the Automation Director will perform the following: Responsible for the administration of access controls to all agency computer systems and will process adds, deletions, and changes Maintain a list of administrative access codes and passwords and keep this list in a secure area available only to the General Manager, Administrative Specialist and Financial Specialist 4 October 2012
5 With approval of General Manager and Automation Director will assign rights to programs and databases and ensure that employee has implemented acceptable password practices. Disable access to programs or database when employees are terminated Separation of Duties [AC-5] SWART has separated duties of individuals as necessary in order to assign information system authorization Automation Director The Automation Director and will supervise Information Security policies/procedures. The Automation Director is responsible for the administration of any security policy under the supervision of the General Manager and Administrative Specialist Manager. He or she will be assisted by a representative of the Third Party Support Contact listed for systems listed in Table 1 as required. The Automation Director with Guidance from the General Manager and the Administrative Specialist provides the following: Develop and maintain written standards and procedures necessary to ensure implementation of and compliance with security policy directives Provide appropriate support and guidance to assist employees to fulfill their responsibilities under any security policy directives Coordinate automation activities with the assistance of any other Third Party contractors. Ensure that only authorized key personnel have access to any external required electronic management systems specifically related to Texas Human Health and Services Commission for Medical Transportation. Ensure the confidentiality of passwords to external systems specifically related to Texas Human Health and Services Commission for Medical Transportation. Act as single point of contact for all software users regarding operational status of equipment and application software questions and troubleshooting. Maintain records of software licenses owned by SWART. Periodically (at least annually) scan agency computers to verify that only authorized software is installed Supervisors For each department within SWART, a Supervisor is assigned for the management of the department s staff. Supervisors will perform the following tasks: Ensure that all appropriate personnel are aware of and comply with the security policy 5 October 2012
6 Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe the security policy Supervisors will notify the Automation Director promptly whenever an employee leaves the agency so that his/her access can be revoked. Involuntary terminations must be reported concurrent with the termination. Supervisors will also notify the Automation Director when an employee needs access to programs or databases Contractors SWART will utilize SWART staff and has also hired contractors to perform IT services for the agency. These contractors will provide additional security controls within their own information system or technology. Automation Director Automation Director provides IT support services for all SWART internal servers, desktops and laptops. Automation Director will provide the following: Install and maintain appropriate antivirus software on all computers Respond to all virus attacks, destroy any virus detected, and document each incident. Ensure daily system backups are completed. Shah Software. SWART utilizes RouteMatch software for scheduling and dispatching transportation. RouteMatch Software will provide the following: Address user security policies by providing software enhancements Provide automatic daily database backups Provide software license management Ensure that software checks for unauthorized users by validating user accounts and passwords Help Desk support and troubleshooting Intuit Intuit provides SWART management and hosting of Services. Intuit will provide the following: Full installation and configuration of Services Help Desk support and troubleshooting Security and reliability 6 October 2012
7 Automation Director The Automation Director provides support and maintenance of SWART Website which is hosted at Intuit facility. The Automation Director along with Intuit provides the following: Secure website Administration functionality Secure Building Entry Customer Access Policies Customer Data Security Fire Control MIP Financial Software SWART has licenses and support for MIP Financial Software for managing finances and reporting. MIP Financial Software provides the following which is included in their support services: Application updates and upgrades including media for installation On-line backups Help Desk support and troubleshooting JIVE JIVE provides phone IT support services for SWART s phone servers. Services include the following: Maintain appropriate software updates/upgrades Address user security policies Help Desk support and troubleshooting Server support Least Privilege [AC-6] All applications accessed by SWART have an administrator login. The administrator has different privileges from the users. The following table describes the administrator privilege for each system: System Type Designated Third Party Administrator Privileges Support Contact Accounting / Finance Automation Director Set-up user accounts/passwords Set-up user module access Infrastructure Networking, Servers, Automation Director Perform operating system updates and maintenance 7 October 2012
8 Routers, Phone System Set-up and delete any user accounts and passwords Install required software Set-up security parameters on servers Set-up system backup process Scheduling Software Shah Software. Set-up user accounts/passwords Set-up user module access Provide application and database updates and maintenance Intuit and Automation Director Create and manage mailboxes Perform system updates and maintenance Perform system backups Update website for any required changes Website General Manager and Automation Director Website Servers Intuit Perform operating system updates and maintenance Table 2 Administrator Privileges Unsuccessful Login Attempts [AC-7] All applications being accessed by SWART management and staff require logins with passwords. The applications cannot be accessed until both username and password are correct and match. The password is encrypted and is never displayed to the user. If the user forgets their password, Automation Director will delete the current password and assign a new one to the user Concurrent Session Control [AC-10] All application being accessed by SWART management and staff are managed through user licenses. There is a limit on the number of concurrent sessions based on the number of available licenses Session Lock or Termination [AC-11] A security setting can be set-up in Shah Software. This security setting determines how many minutes after the last activity date and time logged for a session be considered abandoned and removed. After this time period, users must log back into the system Permitted Actions without Identification or Authentication [AC-14] Access to the internet is provided to employees for the benefit of SWART and its clients. Employees are able to connect to a variety of business information resources around the world. The following guidelines have been established for the using the internet and 8 October 2012
9 Employees using the Internet are representing the agency. Employees are responsible for ensuring that the internet is used in an effective, ethical, and lawful manner. Examples of acceptable use are: o Using Web browsers to obtain business information from commercial Web Sites o Accessing databases for information as needed. o Using the for business contact. Employees must not use the internet for purposes that are illegal, harmful to the agency or nonproductive. Examples of unacceptable use are: o Sending or forwarding chain [i.e., message containing instructions to forward the message to others. o Conducting personal business using agency resources o Transmitting any content that is offensive, harassing or fraudulent Ensure that all communications are for professional reasons and that they do not interfere with his/her productivity. Be responsible for the content of all text, audio, or images that she/he places or sends over the Internet. All communications should have the employee's name attached. Not transmit copyrighted materials without permission. Know and abide by all applicable SWART policies dealing with security and confidentiality of agency records. Avoid transmission of nonpublic customer information. If it is necessary to transmit nonpublic information, employees are required to take steps reasonably intended to ensure that information is delivered to the proper person who is authorized to receive such information for a legitimate use. File downloads from the Internet are not permitted unless specifically authorized by the General Manager, Automation Director or Administrative Specialist. All messages created, sent, or retrieved over the Internet are the property of the agency and may be regarded as public information. SWART reserves the right to access the contents of any messages sent over its facilities if the agency believes, in its sole judgment, that it has a business need to do so. All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver Remote Access [AC-17] A Virtual Private Network (VPN) has been set-up to access the servers for maintenance and to access the MIP Financial Software and Shah Software application. Passwords are required to access the VPN Wireless Access [AC-18] A wireless access point is available in the SWART facility. It uses WEP encryption set-up and the password is managed by the Automation Director. There is guest account set-up. 9 October 2012
10 4.2 Awareness and Training Security Awareness and Training Policy [AT-1] SWART provides information to management and staff on all security policies. Security policies include the following: Internet access and use Prevention of computer viruses Password management Access to data Physical security Copy rights and license agreements 4.3 Security Assessment and Authorization Security Authorization [CA-6] SWART issues a HHSC Data Use and Business Associate Agreement that must be signed by staff, contractors, vendors, consultants or anyone associated with confidential information. See Appendix C. 4.4 Contingency Planning Information System Backup [CP-9] SWART performs incremental backups each night through an in house backup device and the Automation Director keeps a backup tape at a remote location. The internet is used to send incremental backups to the offsite service. Backup sets are encrypted and only Excelerated Technology has the password to retrieve the backup. Automation Director will ensure that server backup is completed daily to offsite backup Information System Recovery and Reconstitution [CP-10] System Recovery will be performed from on-line backups. RouteMatch also retains a backup copy of transit database. Intuit performs the following system backup tasks: Enterprise-level backup-to-disk solution with offsite replication to protect data and reduce recovery time. Automatic offsite queuing of in the event of an outrage Battery backup solution to ensure uptime during power outages. 10 October 2012
11 4.5 Identification and Authentication Identification and Authentication [IA-2] SWART s information systems will uniquely identify and authenticate users accessing systems. Authentication of user identities is accomplished through the use of passwords. The Automation Director will maintain a list of administrative access codes and passwords and keep this list in a secure area available only to the General Manager and Administrative Specialist. Employees are responsible for their passwords and the following: Shall be responsible for all computer transactions that are made with his/her User ID and password Shall not disclose passwords to others. Passwords must be changed immediately if it is suspected that they may have become known to others. Passwords should not be recorded where they may be easily obtained. Should use passwords that will not be easily guessed by others Should log out when leaving a workstation for an extended period All passwords used by Information Systems are encrypted. 4.6 Maintenance System Maintenance Policy and Procedures [MA-1] All systems are maintained with current versions of operating system and anti-virus software. 4.7 Physical and Environmental Protection Physical Access Control [PE-3] Within the SWART facility, a separate room is used for the location of information systems Access Control for Output Devices [PE-5] SWART has established policies to protect computer hardware, software data and documentation from misuse, theft, unauthorized access, and environmental hazards. The directives below apply to all employees: Diskettes should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up. Diskettes should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields. Critical computer equipment, e.g., file servers, must be protected by an Uninterruptible Power Supply (UPS). Other computer equipment should be protected by a surge suppressor. 11 October 2012
12 Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided. Since the Automation Director is responsible for all equipment installations, disconnections, modifications, and relocations, employees are not to perform these activities. This does not apply to temporary moves of portable computers for which an initial connection has been set up by Administrative Assistant II. Employees shall not take shared portable equipment such as laptop computers out of the agency building without the informed consent of their supervisor and/or General Manager. Informed consent means that the supervisor knows what equipment is leaving, what data is on it, and for what purpose it will be used. Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result Fire Protection SWART facility has a smoke alarm and multiple fire extinguishers located in key areas in the facility. 4.8 Personnel Security Personnel Screening [PS-3] SWART has established policies and procedures for personnel screening when hiring and as employees. These policies and procedures are documented in the employee handbook and provided to all employees. The policies and procedures are the following: Upon employment, all employees consent for SWART to conduct criminal background checks. The criminal history background check shall include at a minimum, but not limited to, felony or misdemeanor conviction of an act of abuse, neglect or exploitation of children, the elderly or persons with disabilities as defined in Texas Family Code, as amended, Chapter 261 and the Texas Human Resources Code, as amended, Chapter 48; an offense under the Texas Penal Code, as amended, against the person; against the family; against public order or decency; against public health, safety or morals; against property; an offense under Chapter 481 of the Texas Health and Safety Code, as amended, (Texas Controlled Substances Act). SWART shall conduct an Internet Computerized Criminal History file (CCH) background check and a National and State Sex Offender Registry check, prior to an individual transporting any passenger under SWART contracts. This will include SWART personnel and any sub-contractor or sub-contractor employee who directly works in providing transportation services to passengers and clients. This information shall be maintained on file for review by authorized funding source representatives. SWART shall check for felony and misdemeanor convictions for the seven years prior to the hire date and annually thereafter. Individuals with any criminal conviction that falls within 12 October 2012
13 the aforementioned categories shall not be allowed to participate in providing services unless authorized by funding sources. Employees, subcontractor, and subcontractor employees who provide transportation for passengers and/or clients shall notify SWART in writing immediately of criminal convictions (felony or misdemeanor) and or pending felony charges or placement on a Registry as a perpetrator. SWART will report information to funding source (as required) within 10 business days for determination if the CCH finding or reported incident will disqualify an operator from providing services under appropriate contract. SWART shall require each new employee, sub-contractor, or sub-contractor employee who provides transportation services and who has not resided or lived in Texas to sign a waiver attesting to the fact they have never been convicted of a felony or misdemeanor referenced in above paragraph or identified as a perpetrator. If they have been convicted, the nature and conviction date of the felony or misdemeanor must be disclosed. Annual MVR and criminal history checks will be conducted. SWART also conducts personal references and reserves the right to contact former employers. Request for DOT drug and alcohol testing information forms are also submitted to previous employers when applicants indicate they have worked for a DOT funded agency in the past. These references are used to verify whether drug/alcohol violations occurred in past employment. All safety sensitive staff (including drivers), as defined by the Federal Transit Administration, participate in an approved drug and alcohol testing program. The testing program includes drug testing as a condition of employment and drug and alcohol testing on a random basis at the FTA annual minimum random testing rates as set forth in the Federal Register as per 49 CFR Part (b) for drug and alcohol for all covered employees. As part of the orientation process, all SWART personnel are trained on the importance of reporting fraud or program abuse, sexual harassment, physical or verbal abuse as alleged by recipients or attendants during trips authorized by HHSC Personnel Termination [PS-4] The Automation Director will remove any employee accounts and passwords when an employee is terminated or resigns Access Agreements [PS-6] SWART issues a Data Use and Business Associate Agreement that must be signed by staff, contractors, vendors, consultants or anyone associated with confidential information. See Appendix C. 4.9 System and Services Acquisition Software Usage Restrictions [SA-6] Automation Director will: Maintain records of software licenses owned by SWART. Periodically (at least annually) scan agency computers to verify that only authorized software is installed. 13 October 2012
14 Ensure employee responsibilities related to software usage which includes the following: o Installation of software unless authorized by General Manager or Administrative Specialist is prohibited. Only software that is licensed to or owned by SWART is to be installed on SWART computers. o Copying of software must be authorized by General Manager or Administrative Specialist. o Download of software must be authorized by General Manager of Administrative Specialist System and Information Integrity Spam Protection All SWART systems have installed the latest version of Anti-Virus and Spam protection software. Intuit performs inbound filtering for spam, phishing attacks, viruses, and threats. Filtering occurs before s reaches Intuit mail servers. Antivirus protection is configured at the mailbox level. The following directives apply to all employees: Employees shall not knowingly introduce a computer virus into agency computers. Employees shall not load diskettes of unknown origin. Incoming diskettes shall be scanned for viruses before they are read. Any staff member who suspects that his/her workstation has been infected by a virus shall IMMEDIATELY POWER OFF the workstation and call the Administrative Assistant II. 5 Strategic Goals and Objectives This section sets the direction for future or near-term policies and procedures that SWART will implement in the next two years. It outlines three key areas of concentration that SWART will address for Information Systems and to continue protecting the information systems and data contained in each. 5.1 Information System Monitoring SWART Goal: Deploy monitoring devices, such as firewalls, to monitor events on the information system. Alerts can be generated from firewalls based on rules set on device to allow or deny network transmissions. 5.2 Visitor Control Security Processes SWART Goal: Control access to facility physical access to the information systems by authenticating employees and visitors before authorizing access to the facility. This can be accomplished by: 14 October 2012
15 Maintaining visitor access records (sign-in sheet) which include name/organization, signature, date and time of access, purpose of visit, and name/organization of person visited. Visitors are escorted to a designated area Cameras installed in key facility locations Installation of bar code readers for bar code scanning of employee badges or other devices to allow employees to enter facility and specific offices within SWART facility 5.3 Implement Physical and Environmental Protection for Mission Critical Information Systems SWART Goal: Move mission critical Information Systems to a Hosted Solution environment to facilitate the implementation of physical and environmental protection and associated physical and environmental controls. Mission Critical solutions are hosted at data centers which are secure, monitored and manned. This includes 24-hour security, Uninterrupted Power Supplies (UPS), diesel backup, fire protection, and off-site data backup facilities with geographical redundancy and mirrored potential. 5.4 Enhance User Authentication SWART Goal: Establish password organization-defined and restrictions including: Minimum password length Password composition such as case sensitivity, mix of upper-case letters, lower-case letters, numbers and special characters Enforce when new passwords are created Investigate roaming profile capability 15 October 2012
16 6 References The Federal Information Security Management Act of 2002 (FISMA) SWART Summary of Handbook Policies SWART Policies and Procedures June Terms and Acronyms DOT HHSC security control VPN WEP Encryption Department of Transportation Health and Human Services Commission Management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. Virtual Private Network - secure network that uses primarily public telecommunication infrastructures, such as the Internet, to provide remote offices Security protocol for wireless networks that encrypts transmitted data 16 October 2012
17 Appendix A Security Control Table Table 1 Security Control Classes, Families and Identifiers 17 October 2012
18 Appendix B Acknowledgement of Information Security Policy Acknowledgment of Information Security Policy This form is used to acknowledge receipt of, and compliance with, the Southwest Area Regional Transit District Information Security Policy. Procedure Complete the following steps: 1. Read the Information Security Policy. 2. Sign and date in the spaces provided below. 3. Return this page only to the Administrative Specialist. Signature By signing below, I agree to the following terms: i. I have received and read a copy of the Information Security Policy and understand the same; ii. I understand and agree that any computers, software, and storage media provided to me by the agency contains proprietary and confidential information about Southwest Area Regional Transit District and its customers or its vendors, and that this is and remains the property of the agency at all times; iii. I agree that I shall not copy, duplicate (except for backup purposes as part of my job here at Southwest Area Regional Transit District), otherwise disclose, or allow anyone else to copy or duplicate any of this information or software; iv. I agree that, if I leave Southwest Area Regional Transit District for any reason, I shall immediately return to the agency the original and copies of any and all software, computer materials, or computer equipment that I may have received from the agency that is either in my possession or otherwise directly or indirectly under my control. Employee signature: Employee name: Date: 18 October 2012
19 Appendix C HHSC Data Use and Business Associate Agreement Southwest Area Regional Transit District Medical Transportation Confidentiality Acknowledgement By signing this form, I agree that it is my responsibility to maintain the utmost of confidentiality regarding Medical Transportation, all services requested and/or provided, clients, client s information, etc. SWART represents and warrants that individuals identified below have demonstrated need to know and have access to Confidential Information pursuant to this Agreement and the Base Contract, and further, that each agree to be bound by the disclosure and use limitations pertaining to the Confidential Information contained in the Agreement. SWART must maintain an updated, complete, accurate and numbered list of Authorized Users at all times and supply it to HHSC, as directed, to the extent those identified below change. Should I have any questions or concerns regarding these standards, I will contact my immediate supervisor immediately. Employee Printed Name Title Employee Signature Date Office Use ONLY: # Seq. Date Received Staff Initials 19 October 2012
Information Technology Security Policies
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
More informationThe Internet and e-mail 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3
Table of Contents 1 Acceptable use 1 Violations 1 Administration 1 Director and Supervisor Responsibilities 1 MIS Director Responsibilities 1 The Internet and e-mail 2 Acceptable use 2 Unacceptable use
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationINFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL
INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationFranciscan University of Steubenville Information Security Policy
Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,
More informationNetwork and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationDelaware State University Policy
Delaware State University Policy Title: Delaware State University Acceptable Use Policy Board approval date: TBD Related Policies and Procedures: Delaware State University Acceptable Use Policy A Message
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationa) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers.
CAYUGA COUNTY POLICY MANUAL Section 11 Subject: Electronic messaging and internet 1 Effective Date: 5/25/10; Res. 255-10 Supersedes Policy of: November 28, 2000 Name of Policy: County Computer Hardware-Software
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationAPPROVED BY: Signatures on File Chief Information Officer APPROVED BY: Chief Financial Officer PURPOSE
TITLE: COMPUTER USE POLICY PAGE 1 OF 5 EFFECTIVE DATE: 07/2001 REVIEW DATES: 02/2003, 09/2006 REVISION DATES: 03/2005, 03/2008 DISTRIBUTION: All Departments PURPOSE APPROVED BY: Signatures on File Chief
More informationSITECATALYST SECURITY
SITECATALYST SECURITY Ensuring the Security of Client Data June 6, 2008 Version 2.0 CHAPTER 1 1 Omniture Security The availability, integrity and confidentiality of client data is of paramount importance
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationAPHIS INTERNET USE AND SECURITY POLICY
United States Department of Agriculture Marketing and Regulatory Programs Animal and Plant Health Inspection Service Directive APHIS 3140.3 5/26/2000 APHIS INTERNET USE AND SECURITY POLICY 1. PURPOSE This
More informationMONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationResponsible Use of Technology and Information Resources
Responsible Use of Technology and Information Resources Introduction: The policies and guidelines outlined in this document apply to the entire Wagner College community: students, faculty, staff, alumni
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationInformation Technology Security Procedures
Information Technology Security Procedures Prepared By: Paul Athaide Date Prepared: Dec 1, 2010 Revised By: Paul Athaide Date Revised: September 20, 2012 Version 1.2 Contents 1. Policy Procedures... 3
More informationMCOLES Information and Tracking Network. Security Policy. Version 2.0
MCOLES Information and Tracking Network Security Policy Version 2.0 Adopted: September 11, 2003 Effective: September 11, 2003 Amended: September 12, 2007 1.0 POLICY STATEMENT The Michigan Commission on
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationBUSINESS ONLINE BANKING AGREEMENT
BUSINESS ONLINE BANKING AGREEMENT This Business Online Banking Agreement ("Agreement") establishes the terms and conditions for Business Online Banking Services ( Service(s) ) provided by Mechanics Bank
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationIT - General Controls Questionnaire
IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow
More informationAcceptable Use Policy
Acceptable Use Policy TABLE OF CONTENTS PURPOSE... 4 SCOPE... 4 AUDIENCE... 4 COMPLIANCE & ENFORCEMENT... 4 POLICY STATEMENTS... 5 1. General... 5 2. Authorized Users... 5 3. Loss and Theft... 5 4. Illegal
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationMISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY
MEMORANDUM TO: FROM: RE: Employee Human Resources MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY Please find attached the above referenced policy that is being issued to each
More informationDepartment of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS
Department of Homeland Security Management Directive System MD Number: 4900 INDIVIDUAL USE AND OPERATION OF DHS INFORMATION SYSTEMS/ COMPUTERS 1. Purpose This directive establishes the Department of Homeland
More informationCOLLINS CONSULTING, Inc.
COLLINS CONSULTING, Inc. TECHNOLOGY PLATFORM USE POLICY 53-R1 COLLINS CONSULTING, INC. TECHNOLOGY PLATFORM USE POLICY Confidential Collins Consulting, Inc. maintains, as part of its technology platform,
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationHow To Protect The Time System From Being Hacked
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/21/13 2014 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationBERKELEY COLLEGE DATA SECURITY POLICY
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationReynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students
Reynoldsburg City Schools Computer and Technology Acceptable Use Policy Staff, Volunteers and Students AUP Sections 1. Acceptable Use 2. Privileges 3. Internet Access 4. Procedures & Caveats 5. Netiquette
More informationInternet & Cell Phone Usage Policy
Internet & Cell Phone Usage Policy The Internet usage Policy applies to all Internet & Cell phone users (individuals working for the company, including permanent full-time and part-time employees, contract
More informationPierce County Policy on Computer Use and Information Systems
Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail
More informationAPPROVED BY: DATE: NUMBER: PAGE: 1 of 9
1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationIdentity Theft Prevention Program Compliance Model
September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All
More informationAppendix G District Email Policies and Procedures
Appendix G District Email Policies and Procedures I. Introduction Email has become one of the most used communications tools in both homes and work places and is now an integral part of all Joshua ISD
More informationPeace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users
Table of Contents... 1 A. Accountability... 1 B. System Use Notification (Login Banner)... 1 C. Non-... 1 D. System Access... 2 E. User IDs... 2 F. Passwords... 2 G. Electronic Information... 3 H. Agency
More informationClear Creek ISD 084910 CQ (REGULATION) Business and Support Services: Electronic Communications
Clear Creek ISD 084910 CQ (REGULATION) SCOPE CONSENT REQUIREMENTS CHIEF TECHNOLOGY OFFICER RESPONSIBILITIES The Superintendent or designee will oversee the District s electronic communications system.
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationBest Practices For Department Server and Enterprise System Checklist
Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)
More informationInformation Technology Cyber Security Policy
Information Technology Cyber Security Policy (Insert Name of Organization) SAMPLE TEMPLATE Organizations are encouraged to develop their own policy and procedures from the information enclosed. Please
More informationBoston Public Schools. Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and. Technology Resources
Boston Public Schools Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and Scope of Policy Technology Resources ACCEPTABLE USE POLICY AND GUIDELINES Boston
More informationSample Policies for Internet Use, Email and Computer Screensavers
Sample Policies for Internet Use, Email and Computer Screensavers In many of its financial management reviews, the Technical Assistance Section has encouraged municipalities to develop and adopt policies
More informationASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
More informationColumbus Police Division Directive. I. Definitions. May 15, 1993 10.01 REVISED. Division Computer Systems
Columbus Police Division Directive EFFECTIVE NUMBER May 15, 1993 10.01 REVISED TOTAL PAGES Mar. 30, 2014 9 Division Computer Systems I. Definitions A. Executable File A program or file that automatically
More informationCity of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011
City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011 Purpose and Intent The City of Boston recognizes the importance
More informationNorth Clackamas School District 12
North Clackamas School District 12 Code: IIBGA-AR Revised/Reviewed: 3/06/08; 6/21/12 Orig. Code(s): SP IIBGA Guidelines for the Use of the District s Electronic Communication System Definitions 1. Technology
More informationNewark City Schools Computer Network, Internet And Bring Your Own Device (BYOD) Acceptable Use Policy and Agreement
Newark City Schools Computer Network, Internet And Bring Your Own Device (BYOD) Acceptable Use Policy and Agreement The Newark City Schools is pleased to make available access to the Internet, and a Bring
More informationHIPAA Security Training Manual
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
More informationAdministrative Procedure 3720 Computer and Network Use
Reference: 17 U.S.C. Section 101 et seq.; Penal Code Section 502, Cal. Const., Art. 1 Section 1; Government Code Section 3543.1(b); Federal Rules of Civil Procedure, Rules 16, 26, 33, 34, 37, 45 The District
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationOdessa College Use of Computer Resources Policy Policy Date: November 2010
Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational
More informationCaldwell Community College and Technical Institute
Caldwell Community College and Technical Institute Employee Computer Usage Policies and Procedures I. PURPOSE: The purpose of this section is to define the policies and procedures for using the administrative
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationMedford Public Schools Medford, Massachusetts. Software Policy Approved by School Committee
Software Policy Approved by School Committee General Statement of Policy The Medford Public Schools licenses the use of computer software from a variety of third parties. Such software is normally copyrighted
More information13. Acceptable Use Policy
To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information
More informationDepartment of Finance and Administration Telephone and Information Technology Resources Policy and Procedures March 2007
Department of Finance and Administration Telephone and Information Technology Resources Policy and Procedures March 2007 I. Statement of Policy The Department of Finance and Administration (DFA) makes
More informationAuthorized. User Agreement
Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION
More informationAP 417 Information and Communication Services
AP 417 Information and Communication Services Background Access and use of information and communication services (ICS) are an integral component of the learning and working environment. The ability for
More informationAcceptable Use Policy
Acceptable Use Policy I. Introduction Each employee, student or non-student user of Greenville County Schools (GCS) information system is expected to be familiar with and follow the expectations and requirements
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationDEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE
2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology
More informationHealth Insurance Portability and Accountability Act (HIPAA) Overview
Health Insurance Portability and Accountability Act (HIPAA) Overview Agency, Contract and Temporary Staff Orientation Initiated: 5/04, Reviewed: 7/10, Revised: 10/10 Prepared by SHS Administration & Samaritan
More informationValdosta Technical College. Information Security Plan
Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect
More informationEthical and Responsible Use of EagleNet 03/26/14 AMW
Campus Technology Services Solutions Center Juniata College 814.641.3619 help@juniata.edu http://services.juniata.edu/cts Ethical and Responsible Use of EagleNet 03/26/14 AMW Preamble The resources of
More informationRetention & Destruction
Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of
More informationInternet usage Policy
Internet usage Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationHMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE
HMIS SECURITY PLAN of the PHILADELPHIA CONTINUUM OF CARE This plan describes the standards for the security of all data contained in the Philadelphia Continuum of Care Homeless Management Information System
More informationAll Users of DCRI Computing Equipment and Network Resources
July 21, 2015 MEMORANDUM To: From Subject: All Users of DCRI Computing Equipment and Network Resources Eric Peterson, MD, MPH, Director, DCRI Secure System Usage The purpose of this memorandum is to inform
More informationACCEPTABLE USE POLICY
ACCEPTABLE USE POLICY F. Paul Greene Harter Secrest & Emery LLP 1600 Bausch & Lomb Place Rochester, NY 14604 585-231-1435 fgreene@hselaw.com 2016 HARTER SECREST & EMERY LLP THE FOLLOWING TEMPLATE WAS DESIGNED
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationPolicy for the Acceptable Use of Information Technology Resources
Policy for the Acceptable Use of Information Technology Resources Purpose... 1 Scope... 1 Definitions... 1 Compliance... 2 Limitations... 2 User Accounts... 3 Ownership... 3 Privacy... 3 Data Security...
More informationSupplier Security Assessment Questionnaire
HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationResponsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy
1.0 BACKGROUND AND PURPOSE Information Technology ( IT ) includes a vast and growing array of computing, electronic and voice communications facilities and services. At the Colorado School of Mines ( Mines
More informationTerms and Conditions of Use - Connectivity to MAGNET
I, as the Client, declare to have read and accepted the terms and conditions set out below for the use of the network connectivity to the Malta Government Network (MAGNET) provided by the Malta Information
More informationTechnology Department 1350 Main Street Cambria, CA 93428
Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any
More informationTameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:
Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether
More informationInformation Technology Acceptable Use Policy
Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationAppendix A: Rules of Behavior for VA Employees
Appendix A: Rules of Behavior for VA Employees Department of Veterans Affairs (VA) National Rules of Behavior 1 Background a) Section 5723(b)(12) of title 38, United States Code, requires the Assistant
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More information