Encryption Security Standard
|
|
- Agnes Reynolds
- 8 years ago
- Views:
Transcription
1 Virginia Commonwealth University Information Security Standard Title: Encryption Security Standard Scope: Approval February 22, 2012 This document provides the encryption requirements for all data generated, processed, stored, transmitted, or used by all VCU faculty, staff, students, contractors, business partners, IT service providers, and other employees on behalf of VCU. This document is not intended to be used with data that is personally owned by individual employees, where if lost or stolen, has no negative impact on VCU. Any unauthorized access or loss of VCU data or equipment containing VCU data should be reported according to the instructions defined in section VII of this standard. Effective March 1, 2012 Compliance July 1, 2013 Authority: VCU Information Security Officer Review Frequency: Annually, or as needed Revision History: Version Date Revision Issuance 0.1 August 4, 2011 Initial draft complete 0.2 August 22, September 6, February 22, 2012 Reviewed by IT Directors. Modifications made to definitions. Reviewed by Technology Advisory Committee Reviewed and approved by CIO This standard supersedes the following archived standards: VCU Security Standard for Encryption February, 2008
2 Table of Contents Contents I. PURPOSE... 3 II. DEFINITIONS... 3 III. RESPONSIBILITIES... 4 IV. STORAGE REQUIREMENTS... 4 V. TRANSMISSION REQUIREMENTS... 4 VI. EXCEPTION REQUESTS... 5 VII. REPORTING LOSS OR THEFT OF EQUIPMENT OR DATA... 5 VIII. COMPLIANCE... 5 Appendix A. Exception Request Form... 6 Page 2 of 7
3 I. PURPOSE This standard defines the encryption requirements for data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. This document is intended to be used by VCU Data Stewards and Data Custodians to determine the need and applicability of encryption for the data managed by these individuals II. DEFINITIONS Category I Data - All data that require breach notifications in the event of improper release as governed by Federal, State, industry regulations, and / or other civil statutes. (Please refer to the Data Classification Standards for additional information) Centrally Managed Network Storage Devices Redundant electronic storage devices that are not native or directly connected to an individual s desktop, laptop, or other computing device. The network storage device is physically hosted and managed in data center(s) which has appropriate physical access protection, monitoring, and access management controls. Locally hosted servers and storage devices, regardless of its networking capability or redundancy, will not be considered as a centrally managed network storage device. Encryption - The process or the means of converting original data to an unintelligible form so it cannot be read by unauthorized users. Fixed Storage Device Internal storage media used by a computer to store files. In a computer system, fixed storage devices are usually the computer s internal hard drive(s). Data Custodian - An individual or organization in physical or logical possession of data for data stewards. Data custodians are responsible for protecting the data in their possession from unauthorized access, alteration, destruction, or usage and for providing and administering general controls, such as back-up and recovery systems. The data custodians are directly responsible for the physical and logical security of the systems that are under their control. Data Steward The data steward is a University director or equivalent position who oversees the capture, maintenance and dissemination of data for a particular operation. The data steward is responsible to ensure data quality, develop consistent data definitions, sensitivity classifications, determine data aliases, develop standard calculations and derivations, define security requirements, document all appropriate business rules and monitor data quality within the source system and/or data warehouse. The data steward is also responsible for communicating data protection requirements to the data custodian; defining requirements for access to the data. Laptop Computer A laptop computer is a battery or AC powered portable computing device that operates on traditional desktop operating systems such as Microsoft Windows and Mac OSX. University Owned Equipment Unless specified otherwise by the sponsoring funding source, any equipment purchased with funding allocated to the Virginia Commonwealth Page 3 of 7
4 University, or its employees for the purpose of education, research, and administration. III. RESPONSIBILITIES The following section delineates responsibilities of VCU employees in relation to the encryption and protection of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. VCU Technology Services is responsible to implement and maintain an enterprise encryption solution that includes disk or file based encryption for desktops and laptops. The implemented solution shall include a secure centralized management system for administration and distribution of encryption software, keys, and key escrow. B. Data stewards are responsible to adhere to the storage and transmission requirements delineated in this standard, and collaborate with data custodians on the encryption of any applicable data. C. Data custodians are responsible to adhere to the storage and transmission requirements delineated in this standard, and implement the encryption solution on IT systems used to store and transmit any applicable data. IV. STORAGE REQUIREMENTS The following section delineates the encryption requirements for the storage of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. Unless stored on University centrally managed or comparable network storage devices, all Category I data must be encrypted when stored in electronic format. B. All fixed storage devices on University owned laptop computers must be encrypted with the VCU enterprise encryption solution. V. TRANSMISSION REQUIREMENTS The following section delineates the encryption requirements for the transmission of electronic data generated, processed, stored, transmitted, or used by the Virginia Commonwealth University. A. Encryption is required for session initiation and all electronic transmission of Category I data. Page 4 of 7
5 VI. EXCEPTION REQUESTS Exceptions to these standards may be requested by submitting an Information Security Policy and Standard Exception Request Form to the VCU Information Security Officer according to data ownership. This form is located in the Appendix A of this document. The Information Security Officer shall have authority to approve or deny any exception request. In the event a request is denied, the requesting party may submit an appeal to the respective Chief Information Officer for final arbitration. VII. VIII. REPORTING LOSS OR THEFT OF EQUIPMENT OR DATA In the event a computer workstation is lost or stolen, the theft or loss must be reported immediately to the VCU police at In the event that Category I data is suspected to be improperly accessed, lost, or stolen, the theft or loss must be reported immediately to the VCU information security office at or infosec@vcu.edu. COMPLIANCE Compliance with this Encryption Security Standard is the responsibility of all individuals who generate, store, process, transmit, or use VCU data. This standard establishes standards for these individuals actions in recognition of the fact that these individuals are provided unique system and data access, and that non-compliance to this agreement will be enforced through sanctions commensurate with the level of infraction. Violation of any of the foregoing requirements may subject an individual to temporary loss of access to data, and in severe cases, disciplinary action including, but not limited to, suspension or dismissal, in accordance with the Employee Standards of Conduct, the University s Rules and Procedures, the Promotion and Tenure Policies and Procedures, the University Policy for Administrative and Professional Faculty and Faculty Holding Administrative Appointments, and/or any other applicable University procedures. In addition, non-compliance may be violations of local, state, or federal laws or regulations. Violations may result in penalties such as fines and imprisonment. All individuals who generate, store, process, transmit, or use VCU data are expected to read, understand and agree to the responsibilities defined in this standard and any published revisions of this standard. Page 5 of 7
6 Appendix A. Exception Request Form VCU Information Security Policy and Standard Exception Request Form Requester Name / Role: Unit Name: Authoritative Unit Head: Requirement to which an exception is requested: Contact Phone: 1. Provide the business or technical justification: 2. Describe the scope, including quantification and requested duration (Not to exceed 1 year): 3. Describe all associated risks: 4. Identify the controls to mitigate the risks: 5. Identify any unmitigated risks: 6. When will compliance to policy or standard be achieved? By submitting this form, the Authoritative Unit Head acknowledges that they have evaluated the business issues associated with this request and accepts any and all associated risks as being reasonable under the circumstances. Authoritative Unit Head Signature: VCU Information Security Officer (ISO) Use Only Approval: Comments: Approved Denied Signature: VCU Chief Information Officer (CIO) Use Only (Used for Appeal) Approval: Comments: Approved Denied Signature: Page 6 of 7
7 Page 7 of 7
Virginia Commonwealth University Information Security Standard
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Business Continuity Management Standard for IT Systems This standard is applicable to all VCU School of Medicine
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Handheld Mobile Device Security Standard This standard is applicable to all VCU School of Medicine personnel.
More informationADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles and Responsibilities
Policy Title: Information Security Roles Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 2 (2014) Information Security Roles Approval Date: 05/28/2014 Revised Responsible Office:
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationWho Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5
Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose
More informationC. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
I. Title A. Name: Information Systems Security Incident Response Policy B. Number: 20070103-secincidentresp C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)
More informationFAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY
FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More information`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice
`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice I understand, accept, and agree to the following terms and conditions that apply to my access to, and
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationSierra College ADMINISTRATIVE PROCEDURE No. AP 3721
Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721 Electronic Information Security and Data Backup Procedures Date Adopted: 4/13/2012 Date Revised: Date Reviewed: References: Health Insurance Portability
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationAppendix A: Rules of Behavior for VA Employees
Appendix A: Rules of Behavior for VA Employees Department of Veterans Affairs (VA) National Rules of Behavior 1 Background a) Section 5723(b)(12) of title 38, United States Code, requires the Assistant
More informationRULES GOVERNING COMPLIANCE OFFICERS OF DEALING MEMBER FIRMS 1
RULES GOVERNING COMPLIANCE OFFICERS OF DEALING MEMBER FIRMS 1 1. INTRODUCTION: These rules are made pursuant to Article 15 of the Rules and Regulations Governing Dealing Members (the Rules) and Section
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationCHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT) PURPOSE: The purpose of this procedure is to establish the roles, responsibilities, and communication procedures for the Computer Security Incident
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationUniversity of Hawai i Executive Policy on Data Governance (Draft 2/1/12)
University of Hawai i Executive Policy on Data Governance (Draft 2/1/12) I. Definition Data governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationInformation Security Policy
Information Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationPRIVACY AND INFORMATION SECURITY INCIDENT REPORTING
PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING PURPOSE The purpose of this policy is to describe the procedures by which Workforce members of UCLA Health System and David Geffen School of Medicine
More informationAPPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS INFRASTRUCTURE RESOURCES
APPROPRIATE USE OF INFORMATION TECHNOLOGY SYSTEMS (INCLUDING INTERNET & E-MAIL) EMC CORPORATE POLICY COPYRIGHT 2007 EMC CORPORATION. ALL RIGHTS RESERVED. NO PORTION OF THIS MATERIAL MAY BE REPRODUCED,
More informationPCI General Policy. Effective Date: August 2008. Approval: December 17, 2015. Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
More informationCaldwell Community College and Technical Institute
Caldwell Community College and Technical Institute Employee Computer Usage Policies and Procedures I. PURPOSE: The purpose of this section is to define the policies and procedures for using the administrative
More informationComputer Security Incident Reporting and Response Policy
SECTION: 3.8 SUBJECT: Computer Security Incident Reporting and Response Policy AUTHORITY: Executive Director; Chapter 282.318, Florida Statutes - Security of Data and Information Technology Resources;
More informationIII. RESPONSIBILITIES
Issued by: Calvin O. Butts, III, President Effective Date: September 23, 2013 Page 1 of 5 I. POLICY & SCOPE This is the SUNY College at Old Westbury policy on College-provided access to electronic information
More informationThe University of Texas Health Science Center at Houston Institutional Healthcare Billing Compliance Plan JANUARY 14, 2013
JANUARY 14, 2013 I. Preamble The University of Texas Health Science Center at Houston (UTHealth) is committed to ensuring that its affairs are conducted in accordance with applicable laws and regulations.
More informationWright State University Information Security
Wright State University Information Security Controls Policy Title: Category: Audience: Reason for Revision: Information Security Framework Information Technology WSU Faculty and Staff N/A Created / Modified
More informationINFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More information3. Fee. You are entitled to use the Equipment without cost so long as you abide by the terms and conditions of this Agreement.
Last Name, First Name THE CITY UNIVERSITY OF NEW YORK Notebook Computer License Agreement This document describes the license agreement between The City University of New York ( CUNY ) and the individual
More informationBUDGET LETTER 05-03 PEER-TO-PEER FILE SHARING 4841.1, 4841.2, EXECUTIVE ORDER S-16-04
BUDGET LETTER SUBJECT: PEER-TO-PEER FILE SHARING REFERENCES: STATE ADMINISTRATIVE MANUAL SECTIONS 4819.2, 4840.4, 4841.1, 4841.2, EXECUTIVE ORDER S-16-04 NUMBER: 05-03 DATE ISSUED: March 7, 2005 SUPERSEDES:
More informationCOUNCIL POLICY NO. C-13
COUNCIL POLICY NO. C-13 TITLE: POLICY: Identity Theft Prevention Program See attachment. REFERENCE: Salem City Council Finance Committee Report dated November 7, 2011, Agenda Item No. 3 (a) Supplants Administrative
More informationAPPROVED BY: DATE: NUMBER: PAGE: 1 of 9
1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationMOBILE DEVICE SECURITY POLICY
State of Illinois Department of Central Management Services MOBILE DEVICE SECURITY Effective: October 01, 2009 State of Illinois Department of Central Management Services Bureau of Communication and Computer
More informationINFORMATION SECURITY Humboldt State University
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY Humboldt State University Audit Report 14-50 October 30, 2014 EXECUTIVE SUMMARY OBJECTIVE The objectives of
More informationSAMPLE TEMPLATE. Massachusetts Written Information Security Plan
SAMPLE TEMPLATE Massachusetts Written Information Security Plan Developed by: Jamy B. Madeja, Esq. Erik Rexford 617-227-8410 jmadeja@buchananassociates.com Each business is required by Massachusetts law
More informationThe Importance of Organizing Your SJSU Information Assets
Standard: Asset Control Page 1 Executive Summary The Asset Control Standard defines the requirements for controlling and ensuring all SJSU computing hardware, software, and confidential assets are identified,
More informationSUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices
SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information
More informationSecurity Awareness Training Policy
Security Awareness Training Policy I. PURPOSE This policy is intended to set the training standard for several key audiences in Salem State University, including, but not limited to: University executives,
More informationHuman Subject Research: HIPAA Privacy and Security. Human Research Academy 101
Human Subject Research: HIPAA Privacy and Security Human Research Academy 101 Your Enterprise Privacy Officer Christine Adams, CHC, CHPC Enterprise Privacy Officer Compliance & Enterprise Risk Management
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationIdentity Theft Prevention Policy. Effective Date: January 1, 2011. Policy Statement
Identity Theft Prevention Policy Effective Date: January 1, 2011 Policy Statement Identity Theft is a crime in which an individual wrongfully obtains and uses another person's personal data, usually for
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationUniversity of Hartford. Software Management and Compliance Guidelines
University of Hartford Software Management and Compliance Guidelines This policy is issued in an effort to remind the University community of the importance of complying with that policy and to reiterate
More informationINFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION
INFORMATION SECURITY & PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY APPLICATION NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST
More informationINFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY]
2012 MODEL STC AGREEMENT INFORMATION EXCHANGE AGREEMENT BETWEEN THE SOCIAL SECURITY ADMINISTRATION AND THE STATE OF [NAME OF STATE], [NAME OF STATE AGENCY] AS THE STATE TRANSMISSION/TRANSFER COMPONENT
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationPolicy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:
Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall
More informationOrder. Directive Number: IM 10-3. Stephen E. Barber Chief Management Officer
Pension Benefit Guaranty Corporation Order Subject: Protecting Sensitive Information Directive Number: IM 10-3 Effective Date: 4/23/08 Originator: OGC Stephen E. Barber Chief Management Officer 1. PURPOSE:
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationGuide for the Role and Responsibilities of an Information Security Officer Within State Government
Guide for the Role and Responsibilities of an Information Security Officer Within State Government Table of Contents Introduction 3 The ISO in State Government 4 Successful ISOs Necessary Skills and Abilities
More informationINFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.
INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc. Copyright 2016 Table of Contents INSTRUCTIONS TO VENDORS 3 VENDOR COMPLIANCE PROGRAM OVERVIEW 4 VENDOR COMPLIANCE
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationRECORDS MANAGEMENT POLICY
RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations
More informationApproved by President Mohammed Qayoumi. Reviews: IT Management Advisory Committee
Policy History Date Action Approved by President Mohammed Qayoumi May 27, 2013 April 9, 2013 Reviews: IT Management Advisory Committee Draft Policy Released Table of Contents Introduction and Purpose...
More informationACCEPTABLE USE POLICY
ACCEPTABLE USE POLICY Title: Information Security - Acceptable Use Policy Subject: Information Security Policy No: ISO: 2013:01 Applies: University-wide Issuing Authority: Vice President for Information
More informationResearch Data Ownership, Retention, Access, and Security
, Access, and Security Policy Type: Administrative Responsible Office: VCU Office of Research and Innovation Initial Policy Approved: 05/15/09 Current Revision Approved: 11/05/2015 Policy Statement and
More informationSaint Louis University Merchant Card Processing Policy & Procedures
Saint Louis University Merchant Card Processing Policy & Procedures Overview: Policies and procedures for processing credit card transactions and properly storing credit card data physically and electronically.
More informationPolicy Title: HIPAA Security Awareness and Training
Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:
More informationAccounting and Administrative Manual Section 100: Accounting and Finance
No.: C-13 Page: 1 of 6 POLICY: It is the policy of the University of Alaska that all payment card transactions are to be executed in compliance with standards established by the Payment Card Industry Security
More informationUniversity of Dayton Credit / Debit Card Acceptance Policy September 1, 2009
University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009 Effective Date of this Policy: August 1, 2008 Last Revision: September 1, 2009 Contact for More Information: UDit Internal Auditor
More informationPolicy for Accepting Payment (Credit) Card and Ecommerce Payments
Policy for Accepting Payment (Credit) Card and Ecommerce Payments 1 Revision Control Document Title: File Reference: Credit Card Handling Policy and Procedure PCI Policy020212.docx Date By Action Pages
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationCalifornia State University, Sacramento INFORMATION SECURITY PROGRAM
California State University, Sacramento INFORMATION SECURITY PROGRAM 1 I. Preamble... 3 II. Scope... 3 III. Definitions... 4 IV. Roles and Responsibilities... 5 A. Vice President for Academic Affairs...
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationCITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number 95.51 PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.
95.5 of 9. PURPOSE.. To establish a policy that outlines the requirements for compliance to the Payment Card Industry Data Security Standards (PCI-DSS). Compliance with this standard is a condition of
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationTable of Contents INTRODUCTION AND PURPOSE 1
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
More informationThe Design Society. Information Security Policy
The Design Society Policies and Forms That Conform to PCI DSS SAQ A Version 2.0 June 2014 About this Document This document contains The Design Society information security policies. This document is
More informationCal Poly Information Security Program
Policy History Date October 5, 2012 October 5, 2010 October 19, 2004 July 8, 2004 May 11, 2004 January May 2004 December 8, 2003 Action Modified Separation or Change of Employment section to address data
More informationDRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430
DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430 POLICY INFORMATION Major Functional Area (MFA): Finance and Administration Policy Title: Asset Management Responsible
More informationNETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO-6011-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section
More informationINDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3
INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.
More informationIT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
More informationSpecific observations and recommendations that were discussed with campus management are presented in detail below.
CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California State University, San Bernardino Audit Report 14-55 March 18, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationINFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE. I. GENERAL INFORMATION Full Name:
INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE
More informationDepartment of Veterans Affairs VA Handbook 6500. Information Security Program
Department of Veterans Affairs VA Handbook 6500 Washington, DC 20420 Transmittal Sheet September 18, 2007 Information Security Program 1. REASON FOR ISSUE: To provide specific procedures and establish
More informationCITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION
CITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION 1.0 Purpose and Scope of Policy It is the policy of the City of Waukesha (City) to respect all computer
More informationContact: Henry Torres, (870) 972-3033
Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures
More informationARTICLE 10. INFORMATION TECHNOLOGY
ARTICLE 10. INFORMATION TECHNOLOGY I. Virtual Private Network (VPN) The purpose of this policy is to provide guidelines for Virtual Private Network (VPN) connections to Education Division s resources.
More informationInformation Security Policy Manual
Information Security Policy Manual Latest Revision: May 16, 2012 1 Table of Contents Information Security Policy Manual... 3 Contact... 4 Enforcement... 4 Policies And Related Procedures... 5 1. ACCEPTABLE
More informationCMS IT - Requirements For Electronic Storage
Chief Information Officer Office of Information Services Centers for Medicare & Medicaid Services CMS Operational Policy for Disk Space Storage Management August 2004 Document Number: CMS-CIO-POL-INF02-01
More informationHamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationRevision Date: October 16, 2014 Effective Date: March 1, 2015. Approved by: BOR Approved on date: October 16, 2014
Information Security Information Technology Policy Identifier: IT-003 Revision Date: October 16, 2014 Effective Date: March 1, 2015 Approved by: BOR Approved on date: October 16, 2014 Table of Contents
More information