Implementing an Effective Information Security Program in Your Agency



Similar documents
Cyber Self Assessment

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Why Lawyers? Why Now?

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Smith College Information Security Risk Assessment Checklist

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

County Identity Theft Prevention Program

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

How to Practice Safely in an era of Cybercrime and Privacy Fears

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

plantemoran.com What School Personnel Administrators Need to know

HIPAA RISK ASSESSMENT

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

ITS Policy Library Device Encryption. Information Technologies & Services

PII Compliance Guidelines

HIPAA Training for Hospice Staff and Volunteers

HIPAA: Bigger and More Annoying

Course: Information Security Management in e-governance

Information Security Plan effective March 1, 2010

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Keeping Agency Data Secure

INFORMATION SECURITY FOR YOUR AGENCY

Identity Theft Prevention Program Compliance Model

How To Protect Your Data From Being Hacked

REMOTE WORKING POLICY

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

CHIS, Inc. Privacy General Guidelines

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

Copyright Telerad Tech RADSpa. HIPAA Compliance

HIPAA Risk Assessments for Physician Practices

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Cyber Security Best Practices

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Protecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012

Research Information Security Guideline

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Beazley presentation master

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

PII Personally Identifiable Information Training and Fraud Prevention

Massachusetts Residents

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

Small Business IT Risk Assessment

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Presented by Dave Olsen, CPA, President

Supplier Information Security Addendum for GE Restricted Data

Norton Mobile Privacy Notice

Travis County Water Control & Improvement District No. 17. Identity Theft Prevention Program. Effective beginning November 20, 2008

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY

Massachusetts Identity Theft/ Data Security Regulations

Protection of Computer Data and Software

Statement of Policy. Reason for Policy

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Estate Agents Authority

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Wellesley College Written Information Security Program

Congregation Data Security Education

Acceptable Use Guidelines

Internet threats: steps to security for your small business

COUNCIL POLICY NO. C-13

Your security is our priority

Navigating the New MA Data Security Regulations

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Web Site Download Carol Johnston

HIPAA ephi Security Guidance for Researchers

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Healthcare Compliance Solutions

Network Security for End Users in Health Care

Austin Peay State University

How To Protect Research Data From Being Compromised

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Guadalupe Regional Medical Center

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

BERKELEY COLLEGE DATA SECURITY POLICY

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

System Security Plan University of Texas Health Science Center School of Public Health

Cyber Exposure for Credit Unions

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Contents. Instructions for Using Online HIPAA Security Plan Generation Tool

Policy for Protecting Customer Data

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

PII = Personally Identifiable Information

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

HIPAA and Health Information Privacy and Security

SHS Annual Information Security Training

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

WHAT IS SENSITIVE INFORMATION?

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Transcription:

Implementing an Effective Information Security Program in Your Agency Presented by: Steve Aronson, Aronson Insurance Ted Joyce, N B Independent Brokerage Jeff Yates, Agents Council for Technology 1 Our Presenters Jeff Yates Agents Council for Technology IIABA Alexandria, VA Jeff.yates@iiaba.net 2

First, a Little Housekeeping Please enter your questions in the Question & Answer box You will receive a follow up email feel free to email me A recording will be available at www.iiaba.net/act at the Security & Privacy quick link, along with more tools & articles 3 Our Presenters Steve Aronson Aronson Insurance, Needham, MA 50/50 Personal & Commercial 3 offices, 20 employees AMS 360 user AUGIE Leader Chair, ACT Agency Security Best Practices Work Group 4

Our Presenters Ted Joyce N B Independent Brokerage Chicago, Illinois Multiple Offices P&C 100% commercial Nexsure Agency Management System AUGIE Leader 5 Focus of Webinar Protection of client & employee private personal information (PI) in your agency s custody Not only data-- all information whether electronic, paper, or voice The information may be in your system, in your files, on your desk, on PCs, mobile devices, home computers, back ups, thumb drives It may be in email, info entered on your website, or info sent to you using social media It may be in the possession of third party contractors 6

Why is this important? Law requires it: Gramm Leach Bliley State privacy, consumer protection and data breach notification laws Agents have been audited & fined Severe harm to client trust and business reputation if clients data is breached Some cost to implement these safeguards, but bigger cost if there is a breach of client or employee PI 7 Key First Steps Understand applicable laws & regulations Appoint Information Security Coordinator & involve your employees Develop your written information security plan Determine all of the PI you use & keep and every place where it might be found whether paper or electronic Decide who needs to see what & then restrict authorization Take advantage of the ACT prototype plan www.iiaba.net/act 8

What is Private Personal Information (PI)? Some examples (which differ in various federal and state laws): First name and last name, or first initial and last name, and any one or more of the following: Social Security number driver's license number, passport number, or state-issued identification number financial account number, or credit or debit card number, access code, personal identification number or password protected health information policy number 9 Steps to take with employees Train them! When hired At least annually Regular audits for compliance Keep written records of training & audits Cut off terminated employees immediately from any access Remind staff about safe surfing regularly Monitor your employee s adherence to the plan as well as the system for any unusual patterns (Discuss with your IT professional) 10

Internal Physical Risks to Manage Your Office locks on doors & windows central station burglar alarm Escort visitors Lock file cabinets & desks No documents with PI left on desks. Or password information Must shred all PI documents & wipe all data off computers & other devices 11 Network Protection Use a network professional Firewall: commercial grade hardware best Virus & malware protection on servers, desktops portable devices and home computers Keep all hardware & software versions up-to-date; automatic updates best 12

Computer Protection Servers strong passwords; changed regularly; locked down tight Desktop PCs strong passwords (AsjRkx7#) & regularly changed Staff can t share ID s and passwords No storage of PI on desktops, laptops or mobile devices Use screen saver with password protection every 15-30 minutes 13 Major External Risks Encrypt backups, thumb drives & PCs; password protect all mobile devices Keep PI off laptops, mobile devices & home computers Do not leave portable devices in your car - EVER Download software that will wipe data from mobile devices if lost Use Real Time tool to manage carrier passwords 14

Additional External Risks Connect to office through SSL / VPN connection Use non-default password on all WiFi connections from within the agency office as well as laptops Before discarding: destroy data on PCs, copiers, fax & scanners & other portable computers & devices Obtain written commitment from third party contractors to protect your data 15 Secure Email Email is like an open postcard PI often contained on CL applications TLS or Transport Layer Security industry recommended solution Needs to be turned on & key obtained from trusted certificate authority Partner with carriers and large clients Proprietary secure email solutions Real Time is secure See Security & Privacy page at www.iiaba.net/act for TLS info 16

Other Internet exposures Do not ask for PI or ids & passwords on online quote forms without initiating a SSL connection (https) Social Media: keep PI off this channel; when discussion moves to specific client situations, take it to regular agency channels Do not use the same passwords on your social media sites as you use for your other business sites See ACT s Don t Get Caught in the Web & Agency E&O Considerations when using Social Media www.iiaba.net/act on Security & Privacy page 17 Questions 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information