1 Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall 2017 To provide a systematic method to ensure all University Data is properly categorized and classified by the appropriate Functional Unit; and to ensure that all users are made aware of Data security issues. AUTHORITY LA R.S. 44:1, et seq., LA R.S. 44:412; Part Two, Chapter III, Section IV of the Bylaws and Rules of the University of Louisiana System. University of Louisiana System Policy and Procedure Memorandum M- 17 (Records Retention and Litigation Hold). OBJECTIVE To establish a process of categorizing and classifying Data in order to further address Data security responsibilities and concerns. DEFINITIONS 1. Access to Data - an additional level of Data protection controlled at the user level, to limit, restrict, and monitor access to Data records. 2. Authorized Use - guards against use of The University of New Orleans systems and infrastructure for malicious acts against its own systems as well as attacks against other individuals and organizations. 3. Availability of Data - ensures timely and reliable access to and use of Data and information technology resources to carry on the mission of the University. These resources include assets such as intellectual property, research and instructional Data and systems, and physical assets. 4. Computing Resources - all devices (including, but not limited to, personal computers and laptops) owned by the University, the user or otherwise, which are part of or are used to access a) the University network, peripherals, and related equipment and software; b) Data/voice communications infrastructure, peripherals, and related equipment and software; c) and all other associated tools, instruments, facilities, and the services that make use of any technology resources owned, operated, or controlled by University Computing and Communications (UCC)
2 resources or components thereof may be individually assigned or shared, single-user or multiuser, stand-alone or networked, and/or mobile or stationary. 5. Confidential Information- Data that by law is not to be publicly disclosed. This designation is used for highly sensitive information whose access is restricted to authorized employees. Confidentiality provides protection of information from either intentional or accidental attempts to access personal or University information by unauthorized entities. Confidentiality covers Data in storage, during processing, and in transit. State and federal laws and regulations require the University to take reasonable steps to ensure security of some classifications of Data (e.g., FERPA, HIPAA). 6. Data - all information that is used by or belongs to the University, or that is processed, stored, maintained, transmitted, copied on, or copied from University computing resources. 7. Data Steward designated personnel within Functional Units that are responsible for the collection, maintenance, and integrity of the Data for that specific area. 8. Functional Unit- any campus, college, program, service, department, office, operating division, vendor, facility user, or other person, entity or defined unit of The University of New Orleans that has been authorized to access or use computing resources or Data. 9. Individual User - any person or entity that utilizes computing resources, including, but not limited to, employees (faculty, staff, and student workers), students, agents, vendors, consultants, contractors, or sub-contractors of the University. 10. Integrity of Data - protection against either intentional or accidental attempts by unauthorized entities to alter Data or modify information systems to impede it from performing its intended function. Integrity requires maintaining the University's reputation to manage the resources entrusted to it. 11. Least Privilege Principle - the principle that requires each person and/or Functional Unit to be granted the most restrictive set of privileges needed for the performance of authorized tasks. 12. Mission Critical Data- Public, Private or Confidential Data identified by the Data Steward as vital to the mission of the University. Unless otherwise authorized by the appropriate Data Steward, Mission Critical Data must be backed up on centralized servers maintained by the University. 13. Private (Internal) Data - any internal Data that derives its value from not being publicly disclosed, which includes information that the University is under legal or contractual obligation to protect. 14. Protected Information - Data that has been designated as Private or Confidential by law or by the University. Protected information includes, but is not limited to, employment records, medical records, mental health records, student records, education records, personal financial records (or other personally identifiable information), research Data, trade secrets, and classified government information. Protected information shall not include public records that by law must be made available to the general public. To the extent there is any uncertainty as to whether any Data constitutes protected information, the Data in question shall be treated as protected information until a determination is made by the University or proper legal authority.
3 15. Public Data - Data that any person or entity either internal or external to the University can access. GENERAL POLICY This policy establishes procedures for the categorization and classification of Data, sets forth methods for securing Data, and delineates the responsibilities of all Individual Users with respect to the maintenance of Data security. PROCEDURE The process of developing and implementing will be conducted in the following three phases; PHASE I Appointment of Data Stewards within Functional Units; PHASE II Classification of Data; PHASE III Recording of Data Classifications; and PHASE IV Continuing Review. The University s Records Management Committee will oversee the entire process. PHASE I - APPOINTMENT OF DATA STEWARD The President shall appoint a Data Steward for each Functional Unit to ensure that the University meets external and internal requirements for privacy and security of specific types of confidential and business information (e.g., student records, employee records, health records, financial transactions). This information should be communicated to the Information Technology Advisory Committee (ITAC). MAIN DATA TYPES AND RESPONSIBLE FUNCTIONAL UNIT. For purposes of this policy, Data is divided into categories, and the Functional Unit responsible for the Data is noted: Accreditation, Institutional Statistics, and Academic Program Records (Academic Affairs) Computing and Network Infrastructure Records (UCC) Employment Records, Including Benefits (HRM) Facility Operations Records (Campus Services) Financial Records (Financial Services) Intellectual Property Records (Technology Transfer) Law Enforcement Records (UNO Police) Legal Records (University Counsel) Library Records ( Earl Long Library) Mental Health Records, including client session video recordings (Counseling Services) Policy and Regulatory Compliance, including NCAA records (Office of the President) Research and Sponsored Programs Records (Office of Research & Sponsored Programs) Student Academic Records (Registrar) Student Financial Aid Records ( Student Financial Aid) Student Health Records/ Disability Services Records (Student Affairs) Student Judicial Records (Student Affairs) PHASE II - CLASSIFICATION OF DATA Data Stewards are advised to seek direction from the appropriate University administrative units, University Counsel, and the Records Management Officer to ensure accuracy and completeness throughout the classification of data process.
4 A. CATEGORIZING AND CLASSIFYING DATA. All Data, whether in hardcopy or electronic form shall be classified according to the categories outlined in Table 1. Data categories are as follows: i. PUBLIC DATA. The disclosure, use, or destruction of Public Data should have no adverse effects on the University nor carry any liability. Examples of Public Data include readily available news and information posted on the University s website. ii. iii. PRIVATE DATA. Internal Data that would lose its value to the University and/or the custodian of such Data would be destroyed or diminished if such Data were improperly disclosed to others. Private Data may be copied and distributed within the University only to authorized users. Private Data disclosed to authorized, external users must be done in accord with a non-disclosure agreement. Examples of Private Data include employmentrelated Data. CONFIDENTIAL DATA. Confidential Data may be disclosed only if the individual to whom such Data is to be disclosed has a valid need for access and the disclosure is specifically authorized by the appropriate Data Steward or designee. Confidential Data may not be copied without authorization from the identified custodian and will not be disclosed except as provided by University policy and procedures, or as required by operation of law or court order. Examples of Confidential Data include, but are not limited to, personally identifiable information in student education records, information contained in health records and mental health records, and personally identifiable non-public information about University employees. NOTE: Anyone creating a new information system that will store or handle Confidential Data must inform the Information Technology Advisory Committee (ITAC). TABLE 1 LEVEL OF SENSITIVITY ACCESS RESTRICTIONS LEGAL REQUIREMENTS REPUTATION RISK OTHER INSTITUTIONAL RISKS GENERAL GUIDE FOR CLASSIFICATION OF DATA CONFIDENTIAL DATA PRIVATE DATA PUBLIC DATA Moderate Level of Low Level of Highest, Most Sensitive Sensitivity Sensitivity Only those individuals designated with approved access, signed nondisclosure agreements, and a need-to know Protection of Data is required by law (e.g., HIPAA, FERPA) UNO employees and nonemployees who have a business needto-know UNO has a contractual obligation to protect the Data High Medium Low Information which provides access to Smaller subsets of protected Data from a school or department UNO affiliates and general public with a need-to-know Protection of Data is at the discretion of the owner/custodian General University information
5 EXAMPLES resources, physical or virtual Student records and unique student identification numbers Prospective students Employment Records* Health records and Information Mental Health Records Human subjects research Data that identifies Individuals Financial transactions of students and employees Personally Identifiable Financial Information Information resources with access to confidential Data Research Data or results that are not confidential Data Information covered by nondisclosure agreements Materials for performance of official duties Proprietary information of UNO or others contained within proposals, contracts, or license agreements Campus maps Personal directory information (e.g., contact information) Departmental websites Academic course descriptions News Information posted on University website Budgets Purchase Orders * Although certain records contained within employment files may be public records subject to disclosure under Louisiana State Revised Statute 44:1, such records should be maintained as Confidential Data and disclosure of public records shall only be made after a case-by-case determination. B. TREATMENT OF ELECTRONIC DATA. For the purpose of this policy, electronic mail ( ) and electronic files stored on University servers should be classified by the Data or information contained therein. For example, s that relate to specifically identified students must be kept as confidential education records. Each user should protect their s and electronic files in accordance to UNO Information Technology General User Policies. C. TREATMENT OF INTERMINGLED DATA. Often public records are intermingled with confidential Data and protected information, in such cases all the information and Data should be protected as confidential until it is necessary to segregate any public records. PHASE III - RECORDING OF DATA CLASSIFICATION Phase II classification of Data will be used to complete the Functional Unit s Records Retention Schedule throughout Phase III. Upon review and approval by the University s Records Management Committee, the Records Management Officer will submit the Records Retention Schedule to the Louisiana Secretary of State, Division of Archives, Records Management and History for agency approval. SECURITY OF DATA Data Security and Access to Data will be determined in accordance with Phase II Data Classifications.
6 A. DATA ACCESS. Access to Data will be authorized in accordance with the principle of Least Privilege, the application of which is intended to reduce the risk of harm that may result from accidental disclosure or unauthorized use of Private or Confidential Data. Access to Data may be further restricted by law, beyond the classification systems of the University. Access to Confidential Data is allowed only with the written approval of the responsible Data Steward or designee. Access rights must be reevaluated upon separation from employment or when an employee s job duties change. B. MISSION CRITICAL DATA. There are additional security concerns related to Mission Critical Data. Such Data can be found in any Data category: Public, Private, or Confidential. Mission Critical Data shall be determined by the Data Steward of each Functional Unit. In addition, the Data Steward must notify University Computing and Communications (UCC) of the specific Data classified as Mission Critical Data in order for that data to be backed up on centralized servers maintained by the University. C. EXTERNAL REQUESTS FOR DATA. i. Confidential Data shall not be provided to external parties or users without written approval from the Data Steward (e.g., Mortgage Verification, Garnishments, etc). In cases where the Data Steward is not available, approval may be obtained by the Director or Department Head of the office in which the Data is maintained, or by an official request from a senior executive officer of the University (e.g., President, Vice President/Provost, or Vice President). ii. Public Information Requests. Subject to statutory exceptions, Public Records are available for inspection and/or reproduction through the Office of the University Counsel, in accordance to the Louisiana Public Records Act (La. R.S. 44:1, et seq) and Article XII, Section 3 of the Louisiana Constitution. For details, please refer to AP Public Information Requests. D. REPORTING OF SECURITY INCIDENTS. Reporting security breaches or other security-related incidents is an ethical responsibility of all members of The University of New Orleans community. Security breaches must be addressed promptly and with the appropriate level of action. UNO IT User Policy outlines the responsibilities of colleges, departments, units, and individuals in reporting as well as defining procedures for handling security incidents. E. DATA SECURITY POLICIES. University Computing and Communications (UCC) has overall responsibility for the data security of the University's information technologies. Implementation of data security policies is delegated throughout the University to various University services, such as colleges, departments, and other units; and to individual users of campus information technology resources. Refer to UNO IT User Policy for details. PHASE IV - CONTINUING REVIEW Review and revision of the Data Classification and Data Security process will be conducted during Phase IV as needed in accordance with the schedule established by the Louisiana State Archives. RESPONSIBILITIES
7 Colleges/Departments are responsible for securing any information they create, manage, or store, and for any information they acquire or access from other University systems (e.g., student records, employment records, business information). Data Stewards are responsible for general record security issues and for ensuring compliance to UL System and University policies, as well as standards and best practices in the areas of their responsibility. Data Stewards are responsible for advising colleges, departments, units, and individuals within their functional area in Data classification and Data security practices. It shall be the responsibility of the Data Steward(s) to classify the Data, with input from appropriate University administrative units and legal counsel. The Data Steward(s) are responsible for communicating the level of classification to individuals granted access. Functional Units are responsible for managing and maintaining the security of the Data, computing resources and protected information. Functional Units are responsible for implementing appropriate managerial, operations, physical, and technical controls for access to, use of, transmission of, and disposal of Data in compliance with this policy. Individual Users are responsible for protecting the security of University information and information systems by adhering to the objectives and requirements stated within published University policies. In addition, individuals are required to comply with the additional security policies, procedures, and practices established by colleges, departments or other units. Failure to comply with established policies and practices may result in loss of computing privileges and/or disciplinary action. Students, faculty, and staff who use personally-owned systems to access University resources are responsible for the security of their personally-owned computers or other network devices and are subject to UNO IT User Policy and all other laws, regulations, or policies directed at the individual user. University Computing and Communications (UCC) has overall responsibility for security of the University's information technologies and implementation of Data security policies. Peter J. Fos, Ph.D., M.P.H. President University of New Orleans
PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment
Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140
Southern Law Center Law Center Policy #IT0014 Title: Privacy Expectations for SULC Computing Resources Authority: Department Original Adoption: 5/7/2007 Effective Date: 5/7/2007 Last Revision: 9/17/2012
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
Southern Law Center Law Center Policy #IT0004 Title: Email Policy Authority: Department Original Adoption: 7/20/2007 Effective Date: 7/20/2007 Last Revision: 9/17/2012 1.0 Purpose: To provide members of
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
Information Security Policy Policy Title Responsible Executive Responsible Office Information Security Policy Vice President for Information Technology and CIO, Jay Dominick Office of Information Technology,
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
P02.07.066. Mobile Device Security. A. University employees and students using a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
Information Technology Acceptable Use Policy Overview The information technology resources of Providence College are owned and maintained by Providence College. Use of this technology is a privilege, not
Policy Number: M-17 University of Louisiana System Title: RECORDS RETENTION & Effective Date: OCTOBER 10, 2012 Cancellation: None Chapter: Miscellaneous Policy and Procedures Memorandum Each institution
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE Developing a Data Governance System Custom Research Brief October 22, 2010 RESEARCH ASSOCIATE Jeff Durkin TABLE OF CONTENTS I. Research Methodology II. Executive
Public Information Program Public Records Policy Purpose This policy is adopted pursuant to the Government Records Access and Management Act Utah Code Ann. 63G-2-701 ( GRAMA ) and applies to District records
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
OFFICE OF THE PRESIDENT HIPAA Compliance Policy (effective April 14, 2003) Purpose It is the purpose of this Executive Memorandum to set forth the Board of Regents and the University Administration s Policy
Information Systems Security Policy Northeast Alabama Community College Center for Information Assurance Northeast Alabama Community College 138 AL Hwy 35, Rainsville, AL 35986 (256) 228-6001 1 5/22/2014
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
Chapter 82 - RECORDS MANAGEMENT Sections: 8010 - Government records findings Recognition of public policy. The council of Salt Lake County finds the following: A. It is in the best interests of Salt Lake
RECORDS MANAGEMENT POLICY 1. POLICY OBJECTIVE 1.1 The University of South Africa (Unisa) has the responsibility to manage, store and retain certain documentation, records and other forms of information
Institutional Data Governance Policy Policy Statement Institutional Data is a strategic asset of the University. As such, it is important that it be managed according to sound data governance procedures.
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.
Data Governance Policy Table of Contents STATEMENT OF PURPOSE... 2 ENTITIES AFFECTED BY THIS POLICY... 3 WHO SHOULD READ THIS POLICY... 3 POLICY STRUCTURE... 3 POLICY... 3 1. Data Governance Structure...
Table of Contents: 000 Introductory Material 001 Introduction Western Oregon University v1.6 Please direct comments to: Bill Kernan, Chief Information Security Officer 100 Information Security Roles and
Chapter 2.82 RECORDS MANAGEMENT 2.82.010 Government records findings--recognition of public policy. The council of Salt Lake County finds the following: A. It is in the best interests of Salt Lake County
HIPAA BUSINESS ASSOCIATE AGREEMENT Preamble This Business Associate Agreement ( Agreement ) is Attachment to the Contract for Payment Eligibility Assessment Whereas, pursuant to the terms of the Contract,
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
Prepared by the Office of the Executive Vice President for Academic Affairs/Provost This is a NEW Executive Policy UNIVERSITY OF HAWAI I EXECUTIVE POLICY ON INSTITUTIONAL DATA GOVERNANCE September 2012
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate
STATEMENT OF VALUES AND CODE OF ETHICS INTRODUCTION The Smithsonian Institution is a public trust whose mission is the increase and diffusion of knowledge. The Smithsonian was established by the United
Records and Information Management Program Policy and Procedure Responsible Office Office of the General Counsel Effective Date 04/01/2012 Responsible Official General Counsel Last Revision I. Rationale
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
University of Hawai i Executive Policy on Data Governance (Draft 2/1/12) I. Definition Data governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology
Business Associate Agreement This Business Associate Contract (Agreement) is entered into by and between, as a Covered Entity as defined in relevant federal and state law, and HMS Agency, Inc., as their
SCHOOL OF NURSING POLICY ON STAFF CONFLICTS OF INTEREST AND CONFLICTS OF COMMITMENT November 2007 Introduction The University of Michigan Standard Practice Guide (SPG) 201.65-1 requires the deans of the
Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security
Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October
1. PURPOSE In accordance with CSSF Circular 2004/155, the board of directors of [NAME OF COMPANY] (hereafter the Company ) has adopted the following Compliance Policy. The Company s Compliance function
Northwestern Memorial Hospital DEPARTMENTAL POLICY Subject: DEPARTMENTAL ADMINISTRATION Title: 1 of 11 Revision of: NEW Effective Date: 01/09/03 I. PURPOSE: This policy defines general behavioral guidelines
Page 1 of 10 Table of Contents 1. Purpose... 2 2. Entities Affected by This Guideline... 2 3. Definitions... 2 4. Guidelines... 3 4.1 Requesting Data Center or... 3 4.2 Requirements for Data Center or...
Policy No: TITLE: AP-OP-07.2 Identity Theft Prevention Program EFFECTIVE DATE: April 11, 2014 ADMINISTERED BY: Office of the President CANCELLATION: REVIEW DATE: Fall 2016 PURPOSE To establish an Identity
PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
STI GROUP DISCUSSION WRITTEN PROJECT ediscovery FOR GIAC ENTERPRISES - DATA CLASSIFICATION, RETENTION, AND LITIGATION POLICIES AND PROCEDURES Version 1.1 September 22, 2007 Team: Russell Meyer, Brad Ruppert
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430 POLICY INFORMATION Major Functional Area (MFA): Finance and Administration Policy Title: Asset Management Responsible
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
Records Management Manual of the University of Nevada Las Vegas Table of Contents Part 1: Overview of Records Management at the University of Nevada Las Vegas... 2 1.1 PROGRAM RATIONALE, RESPONSIBILITIES
SUMMARY OF POSITION ROLE/RESPONSIBILITIES: Reporting to the Senior Vice President for Administration, this position is responsible for ensuring that the University of Florida, in its entirety, is compliant
RUTGERS POLICY Section: 70.2.22 Section Title: Legacy UMDNJ policies associated with Information Technology Policy Name: Information Security: Electronic Information and Information Systems Access Control
Exhibit 2 Business Associate Addendum This Business Associate Addendum ( Addendum ) governs the use and disclosure of Protected Health Information by EOHHS when functioning as a Business Associate in performing
Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Communications and Operations Management Policy #2450 POLICY INFORMATION Major Functional Area (MFA): Finance and Administration Policy Title:
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street