Information Security and CASA Programs

Transcription

1 Information Security and CASA Programs The comprehensive and ever-changing environment of information security poses specific challenges to CASA programs. Unlike other businesses or nonprofit organizations, CASA programs create, collect, access, and store information within several different categories. Each category of information has different security requirements. Categories of Information Category A Case and Child Information Case files Case Connection Case correspondence Medical provider info Category B Volunteer Information Identifying info Background and screening checks Medical, mental health, family history Evaluations, reviews Dismissal info Category C Personnel Information Identifying info Background and screening checks Medical/insurance info Salary info Evaluations, reviews, grievances Category D Financial Information Accounting and banking info Annual budget Annual audit Salary info Fundraising info IRS filings Category E Organizational Information Nonprofit and legal documents Board minutes Policies and procedures General correspondence Promotional and publicity info Information security requirements related to the information programs create, collect, access and store come from a variety of entities, including: Federal, state and local law (IRS, Secretary of State, FLSA, FMLA, HIPPA, Public Information Act) Funders (OAG, VOCA, OVAG, United Way, etc.) Texas Administrative Code for the Operation of Local CASA/GAL Programs DPS/FBI DFPS Texas CASA and National CASA Standards 1

2 Risk Management As programs seek to strengthen their information security policies and practices to ensure compliance with all requirements, an assessment of the level of risk associated with the categories of information and the way that information is created, collected, accessed and stored helps to identify first and critical action steps. High Risk of Harm-Most High Risk of Harm-Less Low Risk of Harm-Most Low Risk of Harm-Less category A Hard copy security category A Electronic secuirty breech category D Hard copy security breech categoriy D breech financial account numbers, passwords HIPPA violation resulting in legal action categories B,C Hard copy security categories B,C breech category E Hard copy security breech category E Common Causes of Information Security Breeches Electronic Security Breech: Inadequate/lost passwords, inadequate virus protection, inadequate firewall and network structure, screen viewing access, inadequate back-up (frequency, on or off site, versioning), mobile device loss, inadequate document destruction, erroneous sharing via insecure channels ( , texting, some cloud applications), failure to deactivate account access Hard Copy Security Breech: Inadequate secure storage, inadequate access and viewing restrictions, inadequate document destruction 2

3 Information Security Issues/Requirements To begin to address the most pressing information security issues, programs need to understand the specific security laws, rules, regulations, requirements and standards that apply to the different categories of information. The following list is designed to help programs begin to assess the various requirements related to the information they create, collect, access and store. It is not all-inclusive and programs are required to independently assess their own security needs and adapt both policy and practice accordingly. Category A: Case and Child Information Agency, Entity or Law: Texas Family Code Relationship to Local CASA Programs: Texas legal statute that define the rights and responsibilities of CASA programs and CASA advocates, also included in local court Orders of Appointment Signed Agreement? Yes, court order Confidentiality of files, reports, records, communications, and working papers used or developed in providing services Agency, Entity or Law: Texas Administrative Code Relationship to Local CASA Programs: Texas legal statute that establishes the rules for operation of local CASA programs A volunteer, director or employee may not communicate any confidential information about an individual being served by a local program to a person who is not authorized to know the confidential information Agency, Entity or Law: HIPPA (Health Insurance Portability and Information Act) Relationship to Local CASA Programs: Federal and state law Appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form Reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information Implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored *Also applicable to Categories B, C specifically related to medical information 3

4 Agency, Entity or Law: Texas Department of Family and Protective Services (DFPS) Relationship to Local CASA Programs: State agency that administers Case Connection portal and Automatic Background Check System (ABCS) that provides the Central Abuse and Neglect Registry information Training Required? Yes Training Materials: DFPS Enter Background Check Request-A Step by Step Guide for Designated ABCS Representation DFPS Security Requirements for CASA Organizations Signed Agreement? Yes Audit: Possible, no formal or rotational schedule Restricted access to authorized individuals Establish and maintain oversight and quality assurance around security Maintain authorized user list Procedure to report security breeches Electronic copies or storage only on devices encrypted at the disk or device level Prohibition to access via public computers or devices Virus protection and safety protocol including firewalls, anti-spyware, and anti-adware Paper copies labeled confidential Document destruction policy Secure password and password protected screen lock-out Deactivation of access for terminated personnel *Also applicable to Categories B, C specifically related to Central Abuse/Neglect Registry Check Agency, Entity or Law: National CASA Relationship to Local CASA Programs: National membership organization Audit: Self-assessment Electronic case data is backed up on a separate system at least once a week and the backup is off site Established procedures for encrypting confidential messages sent through public accounts Operational procedures and policies that govern IT systems, software, electronic data and information sharing via electronic media Operational procedures for document retention, storage and destruction *Also applicable to Categories A, B, C, D, E Agency, Entity or Law: Texas CASA Relationship to Local CASA Programs: State membership organization Audit: Currently not monitoring for security requirements Electronic case data is backed up on a separate system at least once a week and the backup is off site Operational procedures and policies that govern IT systems, software, electronic data and information sharing via electronic media 4

5 Operational procedures for document retention, storage and destruction *Also applicable to Categories A, B, C, D, E Categories B, C: Background Checks for Volunteers and Employees Agency, Entity or Law: Texas Department of Public Safety (DPS) Relationship to Local CASA Programs: State agency that administers fingerprint submission and criminal history information Training Required? Yes Training Materials: 5 online modules accessed during account setup TxDPS Crime Records Service Secure Website: Criminal History Record Information FACT Clearinghouse User Guide Signed Agreement? Yes Audit: Yes, once every 3 years Restricted access to authorized individuals Records stored electronically are subject to FBI CJIS Security Policy 5.0 Adequate physical security to prevent unauthorized viewing of records (locked files) Paper records must be stored separately from files accessed by non-authorized users Screen lock after 30 minutes of inactivity requiring password reentry Secure disposal of records and deactivation of rap back access Agency, Entity or Law: U.S. Department of Justice, Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS) Division Relationship to Local CASA Programs: Federal agency database accessed for criminal history information Training Required? Yes Training Materials: Criminal Justice Information Services (CJIS) Security Policy Signed Agreement? Yes Audit: Yes, once every two years See CJIS Security Policy 5.0 Electronic storage of records requires a dedicated IT staff, encryption software and a file management system dedicated and stored with restricted access Destruction of electronic information must occur via purging IT staff must be vetted prior to working on systems where records are stored Category C: Individual Personnel Information Agency, Entity or Law: Americans with Disabilities Act Relationship to Local CASA Programs: Federal law related to employee medical records 5

6 The following records must be maintained securely and separately from employee or volunteer personnel files: Oral, written, or digital information concerning an employee's mental or physical condition Medical, dental, disability records Worker s compensation and medical leave records Genetic information Health insurance information; and/or information concerning visits or payments to any health care professional, hospital, emergency room, or other type of short- or long-term health care facility Category D: Certain Financial Information and Records Agency, Entity or Law: Secretary of State, IRS Relationship to Local CASA Programs: State and federal law related to nonprofit corporations Records, books, and annual reports of the corporation's financial activity must be made available to the public for inspection and copying at the corporation's registered or principal office during regular business hours Categories D, E: Financial and Organizational Information Agency, Entity or Law: Public Information Act Relationship to Local CASA Programs: State law related open records requirements As a private entity that receives public/governmental funding, CASA programs are subject to open records requests on all information collected, assembled, or maintained pursuant to law or ordinance or in connection with the transaction of official business This includes all organizational information, including personal communication, in any form or format, including electronic communication sent or received via personal devices or accounts if used for business purposes This excludes specific case and child information and personnel information Summary To reiterate, this is not an exhaustive list of the information security requirements related to any of the agencies, entities or laws listed, or of those not included in this list. In exercising due diligence in meeting security requirements and assessing and mitigating potential risk, it is likely that outside assistance from a legal advisor or IT security professional would be beneficial. Texas CASA will continue to seek and distribute timely information and resources. 6