CUMC IT. Encryption Policy. Author: Carlo Cuttitta CUMC IT Columbia University Medical Center PH , 630 West 168th Street New York, NY 10032
|
|
- Jack Miles
- 8 years ago
- Views:
Transcription
1 CUMC IT Encryption Policy Author: Carlo Cuttitta CUMC IT Columbia University Medical Center PH , 630 West 168th Street New York, NY 10032
2 Document Revision History Version Author(s) Date Issued to Comments 0.01D Carlo Cuttitta/ Prasad Satavalli Aug 30, 2010 Bob De Boer Draft version issued 0.02D Prasad Satavalli Sep 03, 2010 Richard Mikelinich, Carlo Cuttitta, Bob De Boer Changes and corrections all thru based on reviews from Erwin Pili, Jason Habbal, Carlo Cuttitta, Spencer, and Bob De Boer 1.0 Prasad Satavalli Sep 07, 2010 CUMC 1.01D Prasad Satavalli Sep 07, 2010 CUMC Incorporated several additional sections suggested by Richard Mikelinich and approved by Robert De Boer. Version 1.0 issued. Incorporated minor corrections suggested by Dr Sideli Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page ii
3 Table of Contents 1 General Information Terms Used in This Document Contact Encryption Policy Owner 4 2 Encryption Policy Policy Statement Primary Guidance to the Policy Scope of This Policy Encryption Devices and Media Requiring Encryption Who is governed by This Policy Who should know This Policy Exclusions and Limitations Policy Text Recommended Encryption Software Encryption Software Installation Procedure Encryption Software Usage Guidelines Disclaimers Export Control Laws 9 3 Appendices Appendix 1: GuardianEdge Encryption Software Installation Form 10 Appendix 2: Cross References to Related Policies and Information 11 Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page iii
4 1 General Information 1.1 Terms Used in This Document CUMC Columbia University Medical Center CUMC IT Columbia University Medical Center Information Technology CU Columbia University CUIT Columbia University Information Technology Client Refers to a department in CUMC Users Refers to individuals including but not limited to faculty, staff, and individuals authorized by CUMC affiliated institutions and organizations System Server and Application Service Desk CUMC IT s Service Desk Group Information Security Group (ISG) CUMC IT/NYP Security Group 1.2 Contact For submitting requests, questions, or comments on this policy please use: 5help@columbia.edu 1.3 Encryption Policy Owner Robert De Boer Deputy Chief Information Officer Columbia University Medical Center Information Technology 630 West 168th street, PH New York, NY (212) Work (212) Fax rd2293@columbia.edu Web Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 4
5 2 Encryption Policy 2.1 Policy Statement The encryption policy outlined in this document is designed to cover computers and removable storage media that store and process confidential and sensitive electronic data of Columbia University Medical Center corresponding to the definitions of confidential and sensitive data in the CUIT Data Classification Policy. 2.2 Primary Guidance to the Policy This Encryption policy responds to the following: CUIT Data Classification Policy which stipulates that sensitive and confidential data are required to be encrypted in compliance of the following: New York State Law New York State Information Security Breach and Notification Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm-Leach-Bliley Act (GLBA) Payment Card Industry Data Security Standard (PCI DSS). For accessing the CUIT Data Classification Policy, please refer to Appendix 2, Cross References to Related Policies and Information. Note: Columbia University Medical Center is also bound by Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, and addresses the privacy and security concerns associated with the electronic transmission of health information. This is not yet reflected in the above referenced policy. 2.3 Scope of This Policy The encryption policy covers the following: Encryption Devices that require encryption CUMC IT recommended software for encryption Procedure for installing the encryption software, and Guidelines for using the encryption software Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 5
6 2.4 Encryption Encryption is the conversion of data into a format that is not understandable. Only with proper access such as a user name and a password the data can be decrypted made understandable again. In simple terms, if a computer is encrypted by installing encryption software, the files, programs, and data on it are accessible only to the user who has a valid user name and password to that computer. Without a valid user name and password nobody can access the data on that computer. Encryption software protects laptops and computers when they are lost, stolen, or if someone who is not authorized to access them tries to access them. Files on removable media can be protected by encryption using encryption software. Encrypted computers and encrypted files on removable media cannot be accessed without a password. All it takes is setting up a very strong password beyond guess work to ensure that encryption is fail-safe. Note: For the CUMC IT Password Policy, please refer to Appendix 2, Cross References to Related Policies and Information 2.5 Devices and Media Requiring Encryption The following devices and removable media storing confidential or sensitive CUMC data require encryption: Laptops Desktop computers USB Flash drives CD and DVD media External hard disks Portable hard drives Files sent out as attachments Note: HIPAA/HITECH calls for data to be encrypted that is in transit like interfaces. Interfaces are not mentioned here because this encryption technology is not suitable for network transfer of data; such uses are encrypted by other means, for example, SSL or IPsec. 2.6 Who is governed by This Policy This policy applies to all the CUMC users who access the medical center electronic information resources. Individuals covered include but not limited to faculty, staff, students, and individuals authorized by CUMC affiliated institutions and organizations. 2.7 Who should know This Policy Anyone who accesses the medical center s electronic information resources: employees, consultants, interns and temporary workers. 2.8 Exclusions and Limitations Existing systems and applications containing sensitive and confidential information which cannot use encryption because of technology limitations may be granted waiver on a case by case basis upon evaluation by CUMC IT and the ISG. Such systems must go through a comprehensive risk assessment to ensure that major risks are addressed via compensating controls to protect sensitive data in lieu of encryption. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 6
7 2.9 Policy Text All the laptops, workstations that store or access sensitive and confidential CUMC data as defined in the CUIT Data Classification Policy must be encrypted by installing encryption software. Files and backups from medical devices stored on removable media that store confidential or sensitive CUMC data must also be encrypted. Anytime confidential or sensitive CUMC data is placed on removable media such as CD, DVD, or portable hard drives such data must be encrypted. Anytime files containing confidential or sensitive CUMC data are ed such file attachments must be encrypted. Strong passwords must be used to protect computers. Password protected screensavers that lock the computers after five minutes of inactivity must be used to protect the computers. Files transferred to removable storage media using encryption software or files sent out as attachments after they are encrypted using encryption software must be protected with strong passwords. Removable media containing confidential or sensitive CUMC data must be kept safe and in a secure location. Related policies and information on passwords, backups, and other details is provided in Appendix 2, Cross References to Related Policies and Information Recommended Encryption Software CUMC IT recommends CUMC users to install encryption software called GuardianEdge on Windows laptops and workstations. Note: Details on how to acquire the software are provided in Appendix 1, GuardianEdge Encryption Software Installation Form. GuardianEdge is evaluated by CUMC IT to fulfill the encryption policy requirements and is made available free of cost to CUMC Encryption Software Installation Procedure 1. GuardianEdge installation requires administrative rights to the computer. For details on administrative rights please refer to the information provided in Appendix 2, Cross References to Related Policies and Information. 2. Users must have a very strong password for their computers. They must have strong password protected screensavers that turn on after five minutes of inactivity. Users must refer to the information about passwords and computer acceptable use policies presented in Appendix 2, Cross References to Related Policies and Information before installing GuardianEdge software. 3. Users must back up their data on computers or devices before downloading the GuardianEdge software. This includes all documents, worksheets, web browser favorites or bookmarks, images, files, contacts, calendar information and any other data, installation files, and licenses for software programs. 4. Data that is backed must be placed in a safe, protected, and encrypted location. Information on tools and utilities is provided on CUMC IT web site. For details, please refer to Appendix 2, Cross References to Related Policies and Information. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 7
8 5. Users must continue to back up their data at regular intervals. For details, please refer to Appendix 2, Cross References to Related Policies and Information. 6. Users must be aware that after GuardianEdge is installed it cannot be uninstalled and can only be removed by formatting the drive resulting in a total loss of data. 7. Before installing GuardianEdge software, users must fill in and submit the GuardianEdge Encryption Software Installation Form. 8. Users must refer to the GuardianEdge end user documentation and checklists before installing the software Encryption Software Usage Guidelines 1. Users must back up the data on their computers or devices at regular intervals after installation of the encryption software. This includes all documents, worksheets, web browser favorites or bookmarks, images, files, contacts, calendar information and any other data, installation files, and licenses for software programs. 2. Users must never share their user names or passwords with others or write the user name and passwords on notes or books. 3. Upon installation GuardianEdge takes several hours to encrypt the drive, the first time. Users must disable hibernation feature on the computers so that the computer does not go into hibernation there by interrupting the encryption process. After the first time encryption GuardianEdge works silently in the background on the computer. 4. While encrypting files stored on removable media, users should not interrupt the encryption process by disconnecting the removable media from the computer. Files may get corrupted when encryption process is interrupted Disclaimers 1. CUMC IT is not responsible for lost data due to corruption, malware, failure to back up, or any such reason. 2. CUMC IT is not responsible for any issues that impact computer or device performance after the encryption software is installed. 3. Encryption software does not secure computers from viruses or hacker attacks. It protects computers and laptops from unauthorized access when the computers are locked, turned off, or in a hibernation mode using a password protected screensaver. Users must continue to ensure that their computers are up-to-date with operating system updates and anti-virus and anti-spyware updates. 4. CUMC IT cannot provide support in case encryption passwords are forgotten or lost by users. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 8
9 2.14 Export Control Laws Software available from GuardianEdge Technologies, Inc. is subject to United States export controls. No software from this site may be downloaded or otherwise exported or re-exported: into (or to a national or resident of) Iran, Cuba, Sudan, Syria and North Korea or any other country to which the United States has embargoed goods; or any organization or company on the United States Commerce Department's "Denied Persons List." GuardianEdge is approved by the US Bureau of Industry and Security (Mass Market Commodity Code 5D992) for the export of our endpoint data protection products. This obviates the need for declaration or prior approval to travel with encrypted devices in most countries. GuardianEdge is approved by the French government (General Secretariat of National Defense) for import, transfer and/or supply of GuardianEdge products. China requires pre-approval before entering the country with encrypted devices. By downloading or using software from this site, users are agreeing to the foregoing and all applicable export control laws. Users are also warranting that they are not under the control of, located in, or a resident or national of any such country or on any such list. The information on export laws provided herein is not necessarily complete. For more information on export laws, please refer to United States Commerce Department, Bureau of Industry and Security at (202) or (202) You can also view online copies of the export license for the GuardianEdge Data Protection at: Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 9
10 3 Appendices Appendix 1: GuardianEdge Encryption Software Installation Form Computers and removable media that store and process the Medical Center s confidential and sensitive data corresponding to the CUIT Data Classification policy must be encrypted using encryption software in compliance with CUMC IT GuardianEdge Encryption Policy. CUMC IT offers GuardianEdge encryption software free to CUMC. Encryption software protects confidential and sensitive data on laptops and computers when they are lost, stolen, or if someone who is not authorized to access them tries to access them. Files on removable media can be protected by encryption using encryption software. Encrypted computers and encrypted files on removable media cannot be accessed without a password. All it takes is setting up a very strong password beyond guess work to ensure that encryption is effective. Before installing GuardianEdge encryption software you MUST make sure of the following: - you have a user name and a strong password to your computer, - your computer has a password protected screen saver that turns on automatically after five minutes of inactivity, and - you have backed up all the data on the computer to a safe, protected, and encrypted location. (You must continue to back up your computer at regular intervals even after GuardianEdge is installed) First Name: Title: Last Name: Department: UNI: Computer Serial Number: My computer is less than 3 years old* Note: CUMC IT recommends that your computer should not be older than 3 years and that you have made a full backup of your data before installing GuardianEdge. I have completed a full backup of my data* I have gone through the CUMC IT Password policy * I have a strong password to my computer (e.g. 8 characters or longer, use a combination of upper and lower case letters, Include at least one numeric and/or special character etc).) My computer has a password protected screensaver that turns on after five minutes of inactivity I have one of the following computer models: Latitude OptiPlex Dimension Note: If you do not have one of the models listed above please contact 5-Help ( ). Please be advised that GuardianEdge cannot be installed on Latitude Z600 models. My computer s Operating System*: Windows XP Windows Vista Windows 7 Note: At the present time GuardianEdge is not compatible with Macs. By installing GuardianEdge software: - I agree that I have read the CUMC IT GuardianEdge Encryption Policy and the related CUMC IT and CUIT policies on data classification, computer backup, passwords, encryption tools, administrative rights, and acceptable use stated in the GuardianEdge Encryption Policy. - I have gone through GuardianEdge Encryption end user documentation. - I take full responsibility for any consequences that may arise after the software is installed on my computer or equipment Signature/Approval*: Date: MM /DD /YYYY (Please type in your full name) Submit Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 10
11 Appendix 2: Cross References to Related Policies and Information Users are required to be in the know of the following policies and information before downloading and installing GuardianEdge encryption software: Data Classification Policy: CUMC IT and CUIT Data Classification policy described on CU web site at: 119b4fac83a0003.html?base=responsible_office Passwords: CUMC IT Password policy described on the CUMC IT website at: Backing up computers: Computer Backup information described on the CUMC IT website at: CUMC IT Supported Software: CUMC IT supported software information described on the CUMC IT website at: Encryption Tools (other than GuardianEdge): List of encryption tools and their details on the CUMC IT website at: Administrative rights to computers: CUMC IT Administrative Rights policies for computers on the CUMC IT website at: GuardianEdge end user documentation and checklists: To be made available by CUMC IT. Policy ID: CUMCIT_2010_BPP_003 Ver 1.01D Sep 07, 2010 CUMC IT Page 11
Network and Workstation Acceptable Use Policy
CONTENT: Introduction Purpose Policy / Procedure References INTRODUCTION Information Technology services including, staff, workstations, peripherals and network infrastructures are an integral part of
More informationCOVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name
COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name Introduction Removable Media and Mobile Device Policy Removable media and mobile devices are increasingly used to enable information access
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationCongregation Data Security Education
Congregation Data Security Education Data Security Risks Incoming and Outgoing Internet Traffic Remote Access Outbound Email Improperly Discarded Paper Portable Media Devices (i.e. laptops, flash drives,
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationCyber Security Awareness
Cyber Security Awareness User IDs and Passwords Home Computer Protection Protecting your Information Firewalls Malicious Code Protection Mobile Computing Security Wireless Security Patching Possible Symptoms
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationSmith College Information Security Risk Assessment Checklist
Smith College Information Security Risk Assessment Checklist This form contains a checklist for individual data handlers who are conducting an information security risk assessment of their work environment.
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationSecuring Your Customer Data Simple Steps, Tips, and Resources
Securing Your Customer Data This document is intended to provide simple and quick information security steps for small to mid-size merchants that accept credit and/or debit cards as a form of payment for
More informationSecureDoc for Mac v6.1. User Manual
SecureDoc for Mac v6.1 User Manual Copyright 1997-2012 by WinMagic Inc. All rights reserved. Printed in Canada Many products, software and technologies are subject to export control for both Canada and
More informationData Security Basics: Helping You Protect You
Data Security Basics: Helping You Protect You Why the Focus on Data Security? Because ignoring it can get you: Fined Fired Criminally Prosecuted It can also impact your ability to get future funding, and
More informationAre You in Control? MaaS360 Control Service. Services > Overview MaaS360 Control Overview
Services > Overview MaaS360 Control Overview Control Over Endpoints Ensure that patches and security software on laptops and distributed PCs are always up to date. Restart applications automatically. Block
More informationBest Practices for Information Security
Best Practices for Information Security Suzanne Dmytrenko, Information Privacy Officer Email: suzanne@sfsu.edu. Ph: 415-338-2823 Mig Hofmann, Information Security Officer Email: mig@sfsu.edu. Ph: 415-338-3018
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationNetwork Security for End Users in Health Care
Network Security for End Users in Health Care Virginia Health Information Technology Regional Extension Center is funded by grant #90RC0022/01 from the Office of the National Coordinator for Health Information
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationEncryption Security Standard
Virginia Commonwealth University Information Security Standard Title: Encryption Security Standard Scope: Approval February 22, 2012 This document provides the encryption requirements for all data generated,
More informationInformation Security
Information Security Table of Contents Statement of Confidentiality and Responsibility... 2 Policy and Regulation... 2 Protect Our Information... 3 Protect Your Account... 4 To Change Your Password...
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationCVM Computer Security Training
CVM Computer Security Training Responsible Computing Practices Veterinary Information Systems March 2008 Agenda Physical Security Responsible Behavior Minimum Computer Security Standards (MCSS) Data Definitions
More informationCyber Security Awareness
Cyber Security Awareness William F. Pelgrin Chair Page 1 Introduction Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationHIPAA Security Training Manual
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
More informationHealthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service
Services > Overview MaaS360 Ensure Technical Safeguards for EPHI are Working Monitor firewalls, anti-virus packages, data encryption solutions, VPN clients and other security applications to ensure that
More informationHIPAA Security. assistance with implementation of the. security standards. This series aims to
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More information4 Ways an Information Security Analyst Improves Business Productivity
4 Ways an Information Security Analyst Improves Business Productivity www.gr e xo.co m 4 Ways an Information Security Analyst Improves Business Productivity The increase of data breaches and hackers has
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationData Security Considerations for Research
Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about
More informationProcedure Manual. Number: A6Hx2-8.01a. Title: College Network and Software Usage by Employees. Policy Number: 6Hx2-8.01 1 of 21
Policy 6Hx2-8.01 1 of 21 Broward College provides all of its employees with College Network and Internet access so that they can obtain up-to-date information useful to them for the performance of their
More informationTrend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before using this service, please review the latest version of the applicable
More informationPractical Storage Security With Key Management. Russ Fellows, Evaluator Group
Practical Storage Security With Key Management Russ Fellows, Evaluator Group SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationSecure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines
Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationLAW OFFICE SECURITY for Small Firms and Sole Practitioners. Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan
LAW OFFICE SECURITY for Small Firms and Sole Practitioners Prepared by Andrew Mason, Scott Phelps & Mason, Saskatoon Saskatchewan 1. Introduction CONTENTS 2. Security Consciousness Having a Firm Security
More informationInformation Security Manager Training
Information Security Manager Training Kent Swagler CCEP Director, Corporate Compliance Direct line (314) 923-3097 Cell (314) 575-8334 kswagler@metrostlouis.org Information Security Manager Training Overview
More informationPrivacy and Encryption in egovernment. Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008
Privacy and Encryption in egovernment Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008 Privacy Regulations Health Insurance Portability and Accountability Act (HIPPA) Gramm-Leach-Bliley
More informationENISA s ten security awareness good practices July 09
July 09 2 About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for the European
More informationIntroduction. PCI DSS Overview
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
More informationCourse: Information Security Management in e-governance
Course: Information Security Management in e-governance Day 2 Session 2: Security in end user environment Agenda Introduction to IT Infrastructure elements in end user environment Information security
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationHow To Protect Research Data From Being Compromised
University of Northern Colorado Data Security Policy for Research Projects Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Definitions, Roles, and Requirements... 1 5.0 Sources of Data...
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationHIPAA ephi Security Guidance for Researchers
What is ephi? ephi stands for Electronic Protected Health Information (PHI). It is any PHI that is stored, accessed, transmitted or received electronically. 1 PHI under HIPAA means any information that
More informationHFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
More informationStudent Tech Security Training. ITS Security Office
Student Tech Security Training ITS Security Office ITS Security Office Total Security is an illusion security will always be slightly broken. Find strategies for living with it. Monitor our Network with
More informationDRAFT Standard Statement Encryption
DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held
More information31 Ways To Make Your Computer System More Secure
31 Ways To Make Your Computer System More Secure Copyright 2001 Denver Tax Software, Inc. 1. Move to more secure Microsoft Windows systems. Windows NT, 2000 and XP can be made more secure than Windows
More informationTenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014
Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology
More informationVoya Financial Advisors, Inc. Registered Representative s Website Terms of Use
Voya Financial Advisors, Inc. Registered Representative s Website Terms of Use Welcome to our site. This page provides important information about use of this site and other legal matters. Please read
More informationResponsible Access and Use of Information Technology Resources and Services Policy
Responsible Access and Use of Information Technology Resources and Services Policy Functional Area: Information Technology Services (IT Services) Applies To: All users and service providers of Armstrong
More informationCongregation Identity Theft Education Program
Congregation Identity Theft Education Program Definition - PII Personal Identity Information (PII) is defined as any data that can be used by a third party to steal an individual s or entity s identity
More informationAdministrators Guide Multi User Systems. Calendar Year
Calendar Year 2012 Enter Facility Name Here HIPAA Security Compliance Workbook For Core Measure 15 of Meaningful Use Requirements Annual Risk Analysis Administrators Guide Multi User Systems 1 HIPPA Compliance
More informationDesktop and Laptop Security Policy
Desktop and Laptop Security Policy Appendix A Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious
More informationData Managers Interest Group. Research. April 17, 2012
Data Managers Interest Group Institute of Clinical and Translational Research April 17, 2012 Privacy & Security Contacts hipaa@jhmi.edu network.security@jhmi.edu IT Help Desk 410.735.4357 3 Or you can
More informationGuidelines. London School of Economics & Political Science. Remote Access and Mobile Working Guidelines. Information Management and Technology
London School of Economics & Political Science Information Management and Technology Guidelines Remote Access and Mobile Working Guidelines Jethro Perkins Information Security Manager Summary This document
More informationResearch Information Security Guideline
Research Information Security Guideline Introduction This document provides general information security guidelines when working with research data. The items in this guideline are divided into two different
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationSecurity Awareness Training Policy
Security Awareness Training Policy I. PURPOSE This policy is intended to set the training standard for several key audiences in Salem State University, including, but not limited to: University executives,
More informationCyber Security Best Practices
Cyber Security Best Practices 1. Set strong passwords; Do not share them with anyone: They should contain at least three of the five following character classes: o Lower case letters o Upper case letters
More informationSouthwest Arkansas Telephone Cooperative, Inc. (SWAT) Customer Agreement and Internet Allowable Usage Policy
BY USING THE INTERNET ACCESS OFFERED BY Southwest Arkansas Telephone Coop., Inc d.b.a. SWAT.COOP (heretofore referred to as SWAT.COOP) YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationDriveLock and Windows 7
Why alone is not enough CenterTools Software GmbH 2011 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:
More informationInformation Security Guide for Students
Information Security Guide for Students August 2009 Contents The purpose of information security and data protection...1 Access rights and passwords...2 Internet and e-mail...3 Privacy protection...5 University
More informationNational Cyber Security Month 2015: Daily Security Awareness Tips
National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.
More informationFAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY
FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationActive Directory Benefits for Smaller Enterprises
Active Directory Benefits for Smaller Enterprises Microsoft Corporation Published: September 2004 Abstract Microsoft Active Directory (AD) has been available since early 2000, and while most organizations
More informationUnderstanding Northwestern University s contract with Symantec. Symantec Solutions for Cost Reduction & Optimization
Understanding Northwestern University s contract with Symantec Symantec Solutions for Cost Reduction & Optimization Chris Hagelin and Shane Scholes Symantec Account Manager and Symantec Sales Engineer
More informationORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure
ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure MANUAL: Hospital Wide SECTION: Information Technology SUBJECT: Acceptable Use of Information Systems Policy IMPLEMENTATION: 01/2011 CONCURRENCE:
More informationWHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0
WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of
More informationHIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1
HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
More informationBSHSI Security Awareness Training
BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement
More informationSoftware as a Service (SaaS) Requirements
Introduction Software as a Service (SaaS) Requirements Software as a Service (SaaS) is a software service model where an application is hosted as a service provided to customers across the Internet. By
More informationMCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features
MCTS Guide to Microsoft Windows 7 Chapter 7 Windows 7 Security Features Objectives Describe Windows 7 Security Improvements Use the local security policy to secure Windows 7 Enable auditing to record security
More informationUr-Smart Your Best Choice
1 Ur-Smart User Manual Ur-Smart Your Best Choice Users Manual 2 Ur-Smart User Manual Ur-Smart... 1 Your Best Choice... 1 Product introduction... 3 About Ur-Smart... 3 System requirements...
More informationSYMANTEC SOFTWARE SERVICE LICENSE AGREEMENT Norton 360
SYMANTEC SOFTWARE SERVICE LICENSE AGREEMENT Norton 360 IMPORTANT: PLEASE READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT ( LICENSE AGREEMENT ) CAREFULLY BEFORE USING THE SOFTWARE (AS DEFINED BELOW).
More informationHamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
More informationWhite Paper. Support for the HIPAA Security Rule PowerScribe 360
White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as
More informationCyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology
Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification
More informationProcedure Title: TennDent HIPAA Security Awareness and Training
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationVirginia Commonwealth University Information Security Standard
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
More informationCertified Secure Computer User
Certified Secure Computer User Exam Info Exam Name CSCU (112-12) Exam Credit Towards Certification Certified Secure Computer User (CSCU). Students need to pass the online EC-Council exam to receive the
More informationData Security 101. Christopher M. Brubaker. A Lawyer s Guide to Ethical Issues in the Digital Age. cbrubaker@clarkhill.com
Data Security 101 A Lawyer s Guide to Ethical Issues in the Digital Age Christopher M. Brubaker cbrubaker@clarkhill.com November 4-5, 2015 Pennsylvania Bar Institute 21 st Annual Business Lawyers Institute
More informationAn Introduction on How to Better Protect Your Computer and Sensitive Data
An Introduction on How to Better Protect Your Computer and Sensitive Data Common Security Problems Computer users who fail to use strong passwords Constant attacks by viruses, worms, key loggers and bots
More informationPrivacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
More informationSecureAge SecureDs Data Breach Prevention Solution
SecureAge SecureDs Data Breach Prevention Solution In recent years, major cases of data loss and data leaks are reported almost every week. These include high profile cases like US government losing personal
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationGuadalupe Regional Medical Center
Guadalupe Regional Medical Center Health Insurance Portability & Accountability Act (HIPAA) By Debby Hernandez, Compliance/HIPAA Officer HIPAA Privacy & Security Training Module 1 This module will address
More informationCOLORADO COMMUNITY COLLEGE SYSTEM SYSTEM PRESIDENT S PROCEDURE GENERAL COMPUTER AND INFORMATION SYSTEMS PROCEDURES
Page 1 of 12 SP 3-125c COLORADO COMMUNITY COLLEGE SYSTEM SYSTEM PRESIDENT S PROCEDURE GENERAL COMPUTER AND INFORMATION SYSTEMS PROCEDURES APPROVED: May 1, 2006 EFFECTIVE: May 1, 2006 REVISED: August 4,
More informationHuman Subject Research: HIPAA Privacy and Security. Human Research Academy 101
Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More information