by: Scott Baranowski Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy
|
|
- Joel Carroll
- 8 years ago
- Views:
Transcription
1 Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS by: Scott Baranowski 2015 Wolf & Company, P.C.
2 How Do You Handle All of Your Paper? 2
3 Recent Data Breaches A Bank employee stole records that included credit card numbers, bank account information, and other personal data of up to 8.5 million customers. A Bank improperly disposed of records containing confidential customer information affecting over 500 customers. An employee had sensitive loan application documents stolen from their car. Over a period of four months, a man searched through dumpsters outside of a Bank. He pulled out bags of paperwork with private information, including customer s Social Security numbers and account information. 3
4 Recent Data Breaches An employee lost a backpack that included names, Social Security numbers and birthdates. Three former Bank employees were accused of accessing and exporting mortgage data of customers, and providing to a competitor. A Bank discovered that a former contractor kept proprietary bank in his possession after leaving the company. 4
5 Ask Yourself What type of records do we have? What forms are maintained? What is our retention schedule? Is it accurate? Do we have a policy and procedure? Are they current? Does our records management program conflict with our information security program? 5
6 Goals of Records Management Program 6
7 Goals of Record Management Program Control and coordinate all phases of record retention and destruction: What?, Where?, How long?, By who?, What methods? Maintain active, inactive, and archival records. Ensure accessibility and security of information and records. Provide and maintain policies and procedures in accordance with laws, regulations, and organizational needs. 7
8 Today s Agenda Importance of a Successful, Enforceable Records Retention Program Where to Begin and What to Include Ensuring Compliance with GLBA and Privacy Requirements Auditing Your Records Management Program 8
9 Importance of Effective Records Retention Program- The 3 Primary Reasons 9
10 Three Primary Reasons Business Activities Eliminates Employee Uncertainty Regulatory Compliance 10
11 Accounting of Business Activities Financial records require proper supporting documentation: G/L Tickets, Checks, etc. Legal support of transactions required: Loan notes, Collateral documents, etc. Support customer transactions Document business processes and controls 11
12 Eliminates Employee Uncertainty Is there a record retention policy to be followed? What are they supposed to retain and destroy? Who is responsible for destroying records? How are records destroyed? 12
13 Regulatory Compliance Gramm-Leach-Bliley Act (1999) Requires financial institutions to ensure the security and confidentiality of the Non-public Personal Information (NPPI) of customers; Financial institutions include: Banks, Credit Unions, Insurance Companies, Mortgage Lenders, etc. Has an indirect impact on the following service providers: Core, Item, RDC, E-banking, Bill Payment, etc.. Back up and disaster recovery service providers Cloud providers Record storage and disposal services Implemented by the Federal Trade Commission (FTC) by issuing two rules: the Privacy Rule and the Safeguards Rule. 13
14 Safeguards Rule Applies to information who is considered a customer of a financial institution. Customer information is any record containing NPPI about a customer that is handled or maintained by or on behalf of the Financial Institution (Ex. Social Security Numbers, Bank Account Numbers, etc.) Only applies to information about a consumer who is a customer of the financial institution. Include active, non active, and denied 14
15 Safeguards Rule Financial Institutions are required to develop an Information Security Program (ISP) that includes the 5 required components: Designate a Program Coordinator; Conduct a Risk Assessment; Ensure that safeguards are employed to control identified risks and threats; Oversee selection and retention of service providers who handle or maintain customer NPPI; and Evaluate and adjust the program as needed. 15
16 Safeguards Rule 501(b) Requires agencies to establish standards for administrative, technical, and physical safeguards to: Protect against any anticipated threats or hazards to the security of integrity of such records; Ensure the security and confidentiality of customer records and information; and Protect against any unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. 16
17 Safeguards Administrative Policies Procedures Audit Training Technical Firewall/IPS Access Controls Tokens Anti-Virus and Anti-Spam Logging Physical Surveillance equipment Security alarms Locking rooms/cabinets Clean screen Clean desk Shredding documents 17
18 Example Records Retention Schedule 18
19 Example Records Retention Schedule 19
20 Example Records Retention Schedule 20
21 Example Records Retention Schedule 21
22 Example Records Retention Schedule See for more information. 22
23 NYS Retention Requirements Bank s must preserve mortgage-related books and records for inspection, for a minimum of three years. They must establish and maintain: A centralized daily application log for all mortgage applications Authorized insurers in New York State are required to retain records of each insurance contract or policy for the longer of: Six calendar years; or After the filing of the report of examination in which the record was subject to review. Hard copies of cancelled checks must be maintained for ninety (90) days, after that an electronic copy can be archived for seven years. 23
24 Regulatory Compliance In 1999, New York state passed the Electronic Signatures and Records Act (ESRA). ESRA established that electronic signatures can be legally binding, and allowing the creation and storage of electronic records. Uniform Electronic Transactions Act (1999) Electronic records vs. Paper records Adopted by 47 states, the District of Columbia and the U.S. Virgin Islands The holdouts are Illinois, New York and Washington 24
25 Regulatory Compliance Government Organization That Require the Retention of Documents: Internal Revenue Service Federal Deposit Insurance Housing and Urban Corporation Development Small Business Administration Department of Labor Commodity and Securities Money and Finance Bureau of Indian Affairs Department of Education Department of Veterans Affairs Public Contracts - Dept. of Labor State Banking Agencies Equal Employment Opportunity Commission United States Code Office of the Comptroller of Currency Federal Reserve Board 25
26 Where to Begin and What to Include 26
27 Where to Begin and What to Include Start with Assessment of Current Retention Program Evaluate the Options Available Threats to Information Security & Prevention 27
28 Start with Assessment Is there a program? Retention schedule? Who, if anyone is currently responsible and in what areas? What are we storing, how and where and what does it cost? What is required legally? What is required to support business functionality and customer service? 28
29 Start with Assessment What are we destroying? How? What does it cost? Are business needs being met? What are alternatives and related savings? What are the intangible improvements? Are proper safeguards in place? 29
30 How Do I Get the Effort Organized? 30
31 How Do I Organize Build consensus through involvement Choose a Records Management Committee of no more than 6-7 members Need business involvement. Consider key operations personnel throughout the Bank: IT, Loan Operations, Branch Operations, Trust Operations, Deposit Operations. Consider Others: Compliance, Audit, Legal 31
32 Conducting a Records Inventory Physically inspect all of the paper files and record the essential information about them. Identify duplicate, fragmented, and related records. Match the records to the records schedules. Evaluate the existing records (documentation) against your documentation strategy and information needs. 32
33 Perform a Risk Assessment Risk assessment should be performed to evaluate the Bank s current Records Retention Program as well as Alternatives. Identify foreseeable internal and external risk to the security, confidentiality, and integrity of customer information. Should consider these relevant areas of operation, at a minimum: Employee training and management; Record management, including storage, access, and disposal Information systems, including network and software design, information processing, storage, transmission and disposal, and Detecting, preventing and responding to attacks, intrusions, or other system failures. 33
34 Customer Information Risk Assessment Question Control Name Control Description Management 1. Are there policies that address document handling procedures based on a data classification scheme? Data Classification Policy Policy which governs the requirements for proper record retention, such as storage inventory, retention timeframe, and destruction schedule Access 1. Does the Organization maintain privacy agreements with third parties that handle the Organization's information? 2. Are credit and criminal checks performed on employees with access to confidential information? Transfer and Disclosure 1. Does the organization require confidentiality agreements and provide appropriate disclosures? 2. Does the organization use industry standard encryption technology when transmitting sensitive data electronically? Vendor Security and Confidentiality Employee CORI Verification Confidentiality Agreement and Disclosure Procedure Encryption Standards and Controls All Wolf third party contracts include a confidentiality clause, and contracts are maintained by the Manager - Administration. HR performs and maintains background verification for new employees. Any concerns are appropriately reviewed by designated management for required action. All Wolf third party contracts include a confidentiality clause, and contracts are maintained by the Manager - Administration. transmissions can be secured and encrypted by the employee adding the term "secure" within the subject line. Collection 1. Is there a retention schedule in place? Record Retention Policy Policy which governs the requirements for proper record retention, such as, storage inventory, retention timeframe, and destruction schedule. 2. Is there an off-site location to store long-term documents? Offsite Records Storage Facility Wolf uses Iron Mountain as an offsite managed facility where they can store or archive paper or electronic records. 3. Do procedures exists for employees to report breaches in information security? Use and Retention 1. Are privacy policies and procedures and changes thereto reviewed and approved by management. 2. Is notice provided to the individual about the organization's privacy policies and procedures? 3. Does management confirm that third parties from whom personal information is collected are reliable sources that collect information fairly and lawfully? Incident Response Plan Policy and Procedure Review Process Annual Privacy Notice Vendor Identification Procedures Wolf's Information Security Policy includes an Incident Response Plan which details that, on identify a security incident, employees must complete an Incident Response Form and submit to the I.S. Department. Policies are reviewed annually by the Technology Committee and approved by the Board of Directors. All Wolf client engagements letters include the Firm's confidentiality agreement and wording. Verification that vendors used for confidential data collection purpose are a reliable and valid source of information and that data has been collected and handled lawfully. Disposal and Destruction 1. Does the organization have a policy or procedure for disposing Document Destruction Policy of documents containing confidential information? Wolf's Information Security Policy includes sections on Data Classification and Retention, and File Security and Disposal. 2. Does the organization provide locked shredding bins or shredding machines to dispose of paper documents and electronic media containing customer information? 3. Is there a control in place to prevent the shredding bins ever being outside the control of the organization (i.e. left outside during non business hours) Document Disposal Resources Shredding Procedure Locked shredding bins are provided throughout Boston and Springfield offices. Electronic media is destroyed by the IS Department. Locked shredding bins are collected from within the offices by Iron Mountain, 34 and documents are shredded on Iron Mountain trucks with the bins being returned to the offices.
35 Ensure That Audit is Involved In The Discussion Onsite versus offsite record storage, not just costs, but also impact on business Evaluate service providers and ensure they are capable of safeguarding customer data they handle or maintain. Electronic storage versus hard copy, again not just cost, but research efficiency and back-up. If selecting Vendors/systems-Remember regulators require a method to be followed, and its good business practice 35
36 Back-ups What information requires a backup? Ensure that backups are stored separately from original documents. Disaster Recovery Prevent mixing of backups and originals Consider organizing backups by retention requirement date. Prevent accidental destruction of backups with varying retention requirement dates. Can t store everything! 36
37 If it can be destroyed destroy it Destruction Designate a trained staff member Try to eliminate duplicates of duplicates Ensure the record retention schedule is followed prior to destruction! Can t store everything 37
38 In-house or Third Party Determine what can be stored on site vs. off site How will it affect daily business functions? Review the access controls for on-site storage of paper documents Is access to on-site storage limited to employees with a business need? Perform due diligence over third party service providers Regulators look for an established vendor approval method that is followed. 38
39 What About Security of Information and Records? 39
40 Internal Threats to Information Security Sloppiness and poor practice: Poor destruction practices Documents containing NPPI left in exposed areas Poor data maintenance, input, quality assurance Loss and destruction of data: Disasters Corruption Lack of change controls Unauthorized use or access by employees 40
41 External Threats to Information Security Theft Dumpster diving Vendors Break-ins Phishing and Pharming: Bogus s requesting confidential data Malicious software redirecting users to fake websites to collect confidential data 41
42 With all this paper how can I ensure it s safe? 42
43 Safeguarding Against Threats A successful Records Retention Program should incorporate the following GLBA Safeguards to protect against Information Security threats: Administrative Physical Technical 43
44 Administrative Safeguards Administrative safeguards are generally within the direct control of a department and may include: Checking references on potential employees and vendors. Training employees on basic steps they must take to protect customer NPPI. Limiting access to customer NPPI to employees who have a business need to see it. Reducing exposure to the Safeguards Rule by requesting customer information only when it is required to conduct departmental activities. Ensuring that employees are knowledgeable about applicable policies and expectations. 44
45 Physical Safeguards Physical safeguards are also generally within a department s control and may include: Locking rooms and file cabinets where customer information is kept. Using strong passwords Changing passwords periodically and not sharing or writing them down. Encrypting sensitive customer information transmitted electronically. Being alert to fraudulent attempts to obtain customer information and reporting these to management for referral to appropriate law enforcement agencies. 45
46 Physical Safeguards Ensuring that storage areas are protected against destruction or potential damage from physical hazards. Storing records in a secure area and limiting access to authorized employees only. Disposing of customer information appropriately: Designate a trained staff member to supervise the disposal of records. (i.e. shredding) Erase all data when disposing of computers, diskettes, hard drives, etc. that contain customer information. Promptly dispose of outdated customer information within record retention policies. 46
47 Technical Safeguards Technical safeguards are generally the responsibility of IT Department. Department staff should be knowledgeable how their electronic customer information is safeguarded. Departments are responsible for alerting IT to the existence of customer information on networks. 47
48 Technical Safeguards Technical safeguards include: Storing electronic customer information on a secure server Avoiding storage of customer information on machines with an Internet connection. Using anti-virus software that updates automatically. Obtaining and installing patches that resolve software vulnerabilities. Following written contingency plans to address breaches of safeguards. Maintaining up-to-date firewalls particularly if the Financial Institution allows staff to connect via VPN 48
49 Auditing Your Records Management Program to Ensure Compliance 49
50 Ensuring Compliance Successful auditing of your Records Retention Program should examine the following three levels: Employee Compliance Business Compliance Vendor Compliance 50
51 Employee Compliance Conduct after hour walkthroughs and ensure Clean Desk policies are being followed. Verify that current employee training program is consistent with GLBA requirements. Provide employees with a training acknowledgement form after completion of GLBA training program. Periodically review Training Completion Tracking report to identify any employees that have fallen behind. Test employees knowledge through social engineering attempts and quizzes. 51
52 Social Engineering Examples 52
53 Social Engineering Examples 53
54 Social Engineering Prevention 54
55 Employee Knowledge Quiz 55
56 Business Compliance Ensure that required policies and Information Security Program are up to date and approved annually by the Board of Directors. Review employee access controls, physical and electronic, to ensure rights are limited to business needs. Audit a sample of user access modifications to verify the change was properly supported. 56
57 Business Compliance Verify that any dual control & segregation of duties procedures are being followed. Document destruction Moving documents to offsite storage Review response measures taken to security incidents. Verify that Senior Management is monitoring departmental reports as required. Employee Training Record Retention Schedule 57
58 Vendor Compliance Periodic monitoring of vendor practices. Review of vendor contracts to ensure language provides protection for customers and the Financial Institution. Incident Response Plan Abidance with Regulatory Standards Disposal of Customer NPPI Reasonable Measures Taken to Protect Data Vendor s Policy on Use/Monitoring of Subcontractors 58
59 Common Findings Vulnerable customer NPPI discovered during walkthroughs. All employees have not completed privacy training. Contracts with third party service providers are unsigned, or do not include adequate privacy language. Risk assessments over customer information and vendors are incomplete or inaccurate risk ratings. 59
60 Questions?
61 Thank You Scott Baranowski, CIA Director, Internal Audit Services
FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationInformation Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)
Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act) The GLB Act training packet is part of the Information Security Awareness Training that must be completed by employees. Please visit
More informationValdosta Technical College. Information Security Plan
Valdosta Technical College Information Security 4.4.2 VTC Information Security Description: The Gramm-Leach-Bliley Act requires financial institutions as defined by the Federal Trade Commision to protect
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More information787 Wye Road, Akron, Ohio 44333 P 330-666-6200 F 330-666-7801 www.keystonecorp.com
Introduction Keystone White Paper: Regulations affecting IT This document describes specific sections of current U.S. regulations applicable to IT governance and data protection and maps those requirements
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationBelmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
More informationSubject: Safety and Soundness Standards for Information
OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie
More informationINFORMATION SECURITY PROGRAM
Approved 1/30/15 by Dr. MaryLou Apple, President MSCC Policy No. 1:08:00:02 MSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM January, 2015 Version 1 Table of Contents A. Introduction Page 1 B. Security
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationSECTION-BY-SECTION ANALYSIS
INTRODUCED BY CONGRESSMAN RANDY NEUGEBAUER (R-TX) AND CONGRESSMAN JOHN CARNEY (D-DE) SECTION-BY-SECTION ANALYSIS Section 1: Short Title The Data Security Act of 2015. Section 2: Purposes The purposes of
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationCyber Self Assessment
Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have
More informationNewcastle University Information Security Procedures Version 3
Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationAgenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree
Cyber Security: Potential Threats Impacting Organizations January 10, 2015 Scott Petree Agenda 2 Data Security Trends Root Causes of Cyber Attacks How Can We Fix This? Secure Infrastructure User Awareness
More informationensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster
Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationEnterprise PrivaProtector 9.0
IRONSHORE INSURANCE COMPANIES 75 Federal St Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING FOR A CLAIMS
More informationHOW TO COMPLY WITH THE NEW INFORMATION SECURITY STANDARDS: A DO IT YOURSELF MANUAL FOR COMMUNITY BANKS AND THRIFTS PREPARED FOR THE CONFERENCE OF STATE BANK EXAMINERS By THE CODA GROUP, INC. BARNETT SIVON
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationCollege of DuPage Information Technology. Information Security Plan
College of DuPage Information Technology Information Security Plan April, 2015 TABLE OF CONTENTS Purpose... 3 Information Security Plan (ISP) Coordinator(s)... 4 Identify and assess risks to covered data
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationMONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)
MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationIdentity Theft Prevention Program Compliance Model
September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationPolicy for Protecting Customer Data
Policy for Protecting Customer Data Store Name Store Owner/Manager Protecting our customer and employee information is very important to our store image and on-going business. We believe all of our employees
More informationHIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
More informationIndex .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY
Information Security Section: General Operations Title: Information Security Number: 56.350 Index POLICY.100 POLICY STATEMENT.110 POLICY RATIONALE.120 AUTHORITY.130 APPROVAL AND EFFECTIVE DATE OF POLICY.140
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationIT04 UO ACH Security Policy
IT04 UO ACH Security Policy Effective 1 July 2009 Last Revised Who Should Read This Policy Employees who have access to and, therefore, responsibility for safeguarding customer bank account and Automated
More informationHow to Practice Safely in an era of Cybercrime and Privacy Fears
How to Practice Safely in an era of Cybercrime and Privacy Fears Christina Harbridge INFORMATION PROTECTION SPECIALIST Information Security The practice of defending information from unauthorised access,
More informationTASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices
Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security
More informationRemote Deposit Terms of Use and Procedures
Remote Deposit Terms of Use and Procedures Use of American National Bank Fox Cities (Bank) Remote Deposit service is subject to the following Terms of Use and Procedures. Bank reserves the right to update
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES
INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES NOTICE: INSURING AGREEMENTS I.A., I.C. AND I.D. OF THIS POLICY PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY
More informationSilent Safety: Best Practices for Protecting the Affluent
Security Checklists Security Checklists 1. Operational Security Checklist 2. Physical Security Checklist 3. Systems Security Checklist 4. Travel Protocol Checklist 5. Financial Controls Checklist In a
More informationACE Advantage PRIVACY & NETWORK SECURITY
ACE Advantage PRIVACY & NETWORK SECURITY SUPPLEMENTAL APPLICATION COMPLETE THIS APPLICATION ONLY IF REQUESTING COVERAGE FOR PRIVACY LIABILITY AND/OR NETWORK SECURITY LIABILITY COVERAGE. Please submit with
More informationSecuring Personal Information: A Self-Assessment Tool for Organizations
March, 2012 Securing Personal Information: A Self-Assessment Tool for Organizations Office of the Information & Privacy Commissioner for British Columbia Protecting privacy. Promoting transparency. Introduction
More informationINFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:
INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationPCI Data Security and Classification Standards Summary
PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers
More informationBUSINESS ONLINE BANKING AGREEMENT
BUSINESS ONLINE BANKING AGREEMENT This Business Online Banking Agreement ("Agreement") establishes the terms and conditions for Business Online Banking Services ( Service(s) ) provided by Mechanics Bank
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationUtica College. Information Security Plan
Utica College Information Security Plan Author: James Farr (Information Security Officer) Version: 1.0 November 1 2012 Contents Introduction... 3 Scope... 3 Information Security Organization... 4 Roles
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationTOOLBOX. ABA Financial Privacy
ABA Financial Privacy TOOLBOX This tool will help ensure that privacy remains a core value in all corners of your institution. The success of your privacy program depends upon your board s and your management
More informationIRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA 02110 Toll Free: (877) IRON411
IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA 02110 Toll Free: (877) IRON411 Enterprise PrivaProtector 9.0 Network Security and Privacy Insurance Application THE APPLICANT IS APPLYING
More informationTitle: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION
Title: Data Security Policy Code: 1-100-200 Date: 11-6-08rev Approved: WPL INTRODUCTION The purpose of this policy is to outline essential roles and responsibilities within the University community for
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010
ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationSection 5 Identify Theft Red Flags and Address Discrepancy Procedures Index
Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION
INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationSUPPLIER SECURITY STANDARD
SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationCOUNCIL POLICY NO. C-13
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
More informationIIABSC 2015 - Spring Conference
IIABSC 2015 - Spring Conference Cyber Security With enough time, anyone can be hacked. There is no solution that will completely protect you from hackers. March 11, 2015 Chris Joye, Security + 1 2 Cyber
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationINFORMATION SECURITY PROGRAM
WSCC Gramm-Leach-Bliley INFORMATION SECURITY PROGRAM November 30, 2012 Version 5.2 Table of Contents A. Introduction.Page 1 B. Program Coordinators..Page 2 C. Security Risk Assessment.Page 3 1. Employee
More informationPolicy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:
Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationPrivacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues
Doing Business in Oregon Under the Oregon Consumer Identity Theft Protection Act and Related Privacy Risks Privacy Data Loss www.breachblog.com Presented by: Mike Porter March 10, 2009 2 Privacy Data Loss
More informationGuide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR
Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR Information and Resources for Small Medical Offices Introduction The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario s health-specific
More informationFORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference
FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationHow To Protect A Hampden County Hmis From Being Hacked
Hampden County HMIS Springfield Office of Housing SECURITY PLAN Security Officers The Springfield Office of Housing has designated an HMIS Security Officer whose duties include: Review of the Security
More informationPII Compliance Guidelines
Personally Identifiable Information (PII): Individually identifiable information from or about an individual customer including, but not limited to: (a) a first and last name or first initial and last
More informationPage 1 of 15. VISC Third Party Guideline
Page 1 of 15 VISC Third Party Guideline REVISION CONTROL Document Title: Author: File Reference: VISC Third Party Guidelines Andru Luvisi CSU Information Security Managing Third Parties policy Revision
More informationProtecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012
Protecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012 Mission of Pro Bono Partnership of Atlanta: To maximize the impact of pro bono engagement by connecting
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationARTICLE 14 INFORMATION PRIVACY AND SECURITY PROVISIONS
A. This Article is intended to protect the privacy and security of specified County information that Contractor may receive, access, or transmit, under this Agreement. The County information covered under
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationCREDIT CARD SECURITY POLICY PCI DSS 2.0
Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction
More informationInformation Security It s Everyone s Responsibility
Information Security It s Everyone s Responsibility Developed By The University of Texas at Dallas (ISO) Purpose of Training As an employee, you are often the first line of defense protecting valuable
More informationNetwork & Information Security Policy
Policy Version: 2.1 Approved: 02/20/2015 Effective: 03/02/2015 Table of Contents I. Purpose................... 1 II. Scope.................... 1 III. Roles and Responsibilities............. 1 IV. Risk
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More information