TABLE OF CONTENTS INTRODUCTION... 1 OVERVIEW... 1

Similar documents
Estate Agents Authority

How To Protect Decd Information From Harm

Authorized. User Agreement

HIPAA Security Alert

BERKELEY COLLEGE DATA SECURITY POLICY

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

VMware vcloud Air HIPAA Matrix

Information Systems Security Policy

8.03 Health Insurance Portability and Accountability Act (HIPAA)

IT ACCESS CONTROL POLICY

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Information Security Program Management Standard

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

All Users of DCRI Computing Equipment and Network Resources

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

MOBILE DEVICE SECURITY POLICY

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Virginia Commonwealth University School of Medicine Information Security Standard

Supplier IT Security Guide

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Network Security Policy

PRIVACY AND INFORMATION SECURITY INCIDENT REPORTING

The Ministry of Information & Communication Technology MICT

Information Security Policy for Associates and Contractors

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

PRAIRIE SPIRIT SCHOOL DIVISION NO. 206, BOX 809, 121 KLASSEN STREET EAST, WARMAN, SK S0K 4S0 -- PHONE: (306)

DHHS Information Technology (IT) Access Control Standard

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Network and Workstation Acceptable Use Policy

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

a) Access any information composed, created, received, downloaded, retrieved, stored, or sent using department computers.

Telemedicine HIPAA/HITECH Privacy and Security

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Table of Contents INTRODUCTION AND PURPOSE 1

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Circular

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

`DEPARTMENT OF VETERANS AFFAIRS VA SOUTHEAST NETWORK Automated Information System User Access Notice

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Information Security Policy

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Security Policy

Information Security Policy

HIPAA Audit Risk Assessment - Risk Factors

Information Security and Electronic Communications Acceptable Use Policy (AUP)

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

Appendix A: Rules of Behavior for VA Employees

State of Vermont. System/Service Password Policy. Date: 10/2009 Approved by: Neale F. Lunderville Policy Number:

Responsible Access and Use of Information Technology Resources and Services Policy

INFORMATION SECURITY GUIDELINES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

M&T BANK CANADIAN PRIVACY POLICY

HIPAA Training for Staff and Volunteers

How To Protect Data At Northeast Alabama Community College

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

HIPAA and Privacy Policy Training

BUSINESS ASSOCIATE ADDENDUM

INFORMATION SECURITY Humboldt State University

Identity Theft Prevention Program Compliance Model

POLICIES AND REGULATIONS Policy #78

Ohio Supercomputer Center

COMPUTER USE POLICY. 1.0 Purpose and Summary

Montclair State University. HIPAA Security Policy

Chronic Disease Management

How To Ensure Health Information Is Protected

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Supplier Information Security Addendum for GE Restricted Data

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

California State University, Sacramento INFORMATION SECURITY PROGRAM

LINCOLN UNIVERSITY. Approved by President and Active. 1. Purpose of Policy

Guadalupe Regional Medical Center

Information Resources Security Guidelines

University System of Maryland University of Maryland, College Park Division of Information Technology

At Cambrian, Your Privacy is Our Priority. Regardless of how you deal with us on the phone, online, or in person we have strict security measures

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

PII Personally Identifiable Information Training and Fraud Prevention

Lisbon School District 15 Newent Road Lisbon, CT 06351

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

P Mobile Device Security.

HIPAA Security Training Manual

CITY UNIVERSITY OF HONG KONG. Information Classification and

ROCHESTER AREA SCHOOL DISTRICT

Data Security John Hopkins Core Operations Manager Melanie Williams, Ph.D. Branch Manager Texas Cancer Registry April 17, 2009

Information Technology Services Guidelines

Transcription:

TABLE OF CONTENTS INTRODUCTION... 1 OVERVIEW... 1 CRITERIA FOR IDENTIFYING CONFIDENTIAL INFORMATION... 1 Customer Specific Information... 2 Competitively Sensitive Information... 2 CONFIDENTIALITY PROCEDURES... 2 The CIMS Coordinator... 2 VEIC Employees and Contractors... 3 VEIC Network Administrator... 5 i

INTRODUCTION This document codifies the policies, procedures, and guidelines by which Vermont Energy Investment Corporation ( VEIC ) and its Contractors shall handle confidential information. Confidential information consists of data that is (1) acquired from utilities, or (2) developed in the course of implementing Energy Efficiency Utility ( EEU ) programs, or (3) competitively sensitive information. OVERVIEW Efficiency Vermont provides an essential utility service. Because carrying out Efficiency Vermont s statewide responsibilities requires the same electric utility customer information as the utilities themselves needed previously, it is an overarching principle that individual customer consent is not required for Efficiency Vermont to acquire and utilize customer information from the utilities. Though Efficiency Vermont must have access to electric utility customer information, the Vermont Public Service Board ( Board ) requires Efficiency Vermont to strictly protect that information from disclosure to unauthorized individuals or entities. Section V.6 of the Process and Administration of an Energy Efficiency Utility Order of Appointment document issued pursuant to Docket 7466 mandates that: An EEU shall maintain a Confidential Information Management System to provide appropriate protections in the collection, processing, storage and retrieval of information that is customer specific or competitively sensitive, i.e., that could otherwise provide an unfair competitive advantage to an entity engaged in the provision of energy services outside the scope of responsibilities of the Appointment, and inform the DPS of any changes to that system. The Confidential Information Management System (CIMS) was developed to meet this mandate. The CIMS includes criteria to identify confidential information and to provide specific procedures to safeguard this information against inappropriate use or disclosure. The procedures detailed in CIMS apply to all VEIC staff and all Efficiency Vermont Contractors, consultants, and anyone else, including those affiliated with third parties, who access Confidential Information and material through Efficiency Vermont. CRITERIA FOR IDENTIFYING CONFIDENTIAL INFORMATION The term Confidential Information is defined as (1) customer-specific information, or (2) competitively-sensitive information. Confidential Information is not restricted in format. It can be any material containing data meeting the definitions below, including without limitation,

written or printed documents, electronic data on computer disks, tapes, or any other medium, drawings, schematics, or any other tangible item. Once it has been determined that information is Confidential Information, it is subject to the procedures detailed in this document. Customer-Specific Information "Customer-specific information" is defined as any information which specifically identifies a single customer using one or more unique references including, but not limited to, customer name, mailing address, phone numbers, e-mail addresses, designations of physical location, electric utility usage data, or electric utility account numbers. Generally, customer-specific information will be un-aggregated. However, if it is possible to ascertain customer-specific information from a collection of aggregated data, then such aggregated data shall be considered confidential. For example, if a collection of data by town allowed one to determine information about a specific customer because there was clearly only one customer in a particular town then that data should be treated as confidential information. Competitively Sensitive Information "Competitively-sensitive information" is defined as information that could provide an unfair competitive advantage to an entity delivering services outside of the energy efficiency services approved by the Board for Efficiency Vermont implementation. The intent is to ensure that no information (either customer specific, aggregated customer data or market-related data) is provided to any entity such that the entity would have an unfair advantage in providing non- Efficiency Vermont energy efficiency services over any other entities. For example, providing a particular engineering firm with data about the commercial new construction market could give that firm an advantage over other engineering firms. Other examples of competitively sensitive market data may include, but are not limited to, customer surveys, aggregated sales data, load research and appliance saturation data. CONFIDENTIALITY PROCEDURES The intent of CIMS is to ensure that Confidential Information is not disclosed to parties who would use such information for non-efficiency Vermont energy efficiency services. The CIMS Coordinator The CIMS Coordinator shall maintain the adequacy of current procedures and guidelines to assure that the contractual obligations with respect to the handling of Confidential Information are met. The CIMS Coordinator can be reached at cimscoordinator@veic.org. Specifically the CIMS Coordinator is responsible for: Ensuring that all VEIC Employees, all Efficiency Vermont Contractors and any other individuals or entities who have access to the Confidential Information have been provided a copy of the General Confidentiality Guidelines Memo (attached as Appendix A) prior to gaining access to the Confidential Information. 2

1. Ensuring that all VEIC Employees, all Efficiency Vermont Contractors and any other individuals or entities who have access to Confidential Information have signed the Protective Agreement (attached as Appendix B). The CIMS Coordinator will ensure that each individual understands their obligations as detailed in the protective agreement. The protective agreement shall be signed prior to the granting of access to the Confidential Information. 2. Determining whether or not a party requesting access to Confidential Information is actually providing Efficiency Vermont services and will use such Confidential Information strictly for Efficiency Vermont purposes. 3. Determining whether or not data or any particular item of information is or is not Confidential Information as defined above. 4. Conducting investigations into any alleged compromises, incidents and / or problems regarding Confidential Information and reporting the results of such investigations to the managers or director of Efficiency Vermont. 5. If the results of such investigations determine that Confidential Information was actually improperly released, the CIMS Coordinator shall immediately notify the Vermont Department of Public Service s ( Department ) Chief of Consumer Affairs & Public Information. All prudent steps will be taken to ensure that no further Confidential Information is improperly disclosed. All prudent steps will be taken to retrieve such Confidential Information from the unauthorized receiving party. 6. Ensuring that all new VEIC employees and Efficiency Vermont Contractors are provided with adequate training such that they fully understand the CIMS procedures and guidelines. 7. Revising or modifying CIMS procedures as deemed necessary to ensure the continued safeguarding of Confidential Information. The CIMS Coordinator shall gain approval of the Efficiency Vermont senior managers and director prior to implementing any CIMS modifications. The CIMS Coordinator will inform the Department s Chief of Consumer Affairs & Public Information of the changes. 8. Providing VEIC and Efficiency Vermont Contractors with training on CIMS modifications and as needed refresher training regarding the operation of CIMS. VEIC Employees and Contractors 1. All VEIC employees, all Efficiency Vermont Contractors, and any other individuals or entities shall, prior to receiving any Confidential Information, be provided with the General Confidentiality Guidelines Memo, Contractors will also sign a protective agreement prior to gaining access to Confidential Information. The protective agreement states that they shall not access, use, or disclose to any other person, Confidential Information except in accordance with CIMS procedures and only for the purposes of implementing Efficiency Vermont energy efficiency programs. The Contractor shall limit access to the Confidential 3

Information to only those of the Contractor s employees or authorized representatives who (a) have a need to know the Confidential Information for the provision of services to Efficiency Vermont or to Efficiency Vermont customers, and (b) have signed confidentiality agreements containing confidentiality obligations at least as restrictive as those contained herein. 2. VEIC employees and Contractors shall deny all requests for Confidential Information from any and all parties whose intent is to use such Confidential Information for non-efficiency Vermont purposes. If there is any question as to whether or not the requesting party will be using the Confidential Information to provide Efficiency Vermont energy efficiency services, then this request shall be referred to the CIMS Coordinator. If there is any question as to whether or not the information being requested is Confidential Information as defined above, such requests shall also be referred to the CIMS Coordinator. 3. VEIC employees shall verify with the CIMS Coordinator that any party that is authorized to receive Confidential Information has received a copy of the General Confidentiality Guidelines Memo and has signed the protective agreement prior to releasing any Confidential Information to such a party. 4. VEIC employees who are providing non-efficiency Vermont services shall not use any Confidential Information in providing these non-efficiency Vermont services. 5. VEIC employees will ensure that any visitors to VEIC s offices are not allowed access to any Confidential Information unless they are specifically authorized in accordance with the CIMS procedures. 6. All paper copies of Confidential Information that are being disposed of shall first be shredded. 7. Efficiency Vermont cannot publish or print promotional materials identifying a specific customer, their location or identifiable Efficiency Vermont project information without prior written permission from the customer. Such materials can only be used for Efficiency Vermont marketing or promotional purposes. 8. All senior managers of VEIC and Efficiency Vermont shall receive a copy of this document and will read and fully understand the procedures outlined herein. 9. VEIC employees and Efficiency Vermont Contractors provided with a VEIC Computer Network login to access VEIC s computer network shall adhere to the following password provisions: Users shall choose passwords that are difficult to guess. Passwords must be seven characters in length or greater. Passwords must contain any two of the following: alpha, numeric, capitalization, characters. Passwords must not be a dictionary word or include personal names. 4

Passwords must not be written down and left in a place where unauthorized persons might discover them. Under no circumstances, shall VEIC employees or Contractors share or reveal their passwords to anyone at all. 10. Portable, laptop, notebook, personal data assistants, tablet computers, smart phones, and other transportable computers containing Confidential Information, must not be left unsecured at any time. 11. The CIMS Coordinator must be notified immediately when: Any materials or equipment containing or suspected of containing Confidential Information is lost, disclosed to unauthorized parties, or suspected of being lost or disclosed to unauthorized parties. Unauthorized use of Efficiency Vermont s information systems has taken place, or is suspected of taking place. Network logins and or passwords are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed. There are any other problems or concerns regarding Efficiency Vermont s Confidential Information Management Systems. VEIC Network Administrator The VEIC Network Administrator is expected to utilize the available VEIC computer network security services to ensure that access is not gained to VEIC s computer network by any unauthorized parties. The Network Administrator is responsible for: 1. Initial setup and maintenance of users access privileges. Assigning a unique User-ID to each authorized user after proper documentation has been completed. Requests for user access privileges must be granted only by a clear chain of authority delegation. Written approval must be obtained from an appropriate VEIC manager before the Network Administrator may grant or modify network privileges. System and network privileges for all users must be restricted based on the need-toknow and authorized by an appropriate VEIC manager. Individuals who are not VEIC employees must not be granted access or have their access modified without the advance written approval from an appropriate VEIC manager. 2. Monitoring all computer security related events. The Network Administrator shall follow up on any actual or suspected security violations and notify the CIMS Coordinator of all such incidents. 5

3. Ensuring that all Efficiency Vermont data storage devices that contain confidential data, such as hard drives on the network server, shall not be easily removable. The servers containing such data storage devices shall be in computer equipment rooms that are be locked. 4. Ensuring that all computers permanently or intermittently connected to Efficiency Vermont networks must have login and password access controls. 5. The Network Administrator shall devise and implement a change-password schedule, notify all users of the schedule, and perform follow-up to ensure that the schedule has been adhered to. All users shall, at a minimum, be required to change their passwords once per calendar year. 6. Whenever it is known that system / network security has been compromised, or there is substantial reason to believe that it may have been compromised, the Network Administrator will require all users to change their passwords as soon as possible. This will be in addition to the normal, scheduled password changes. 7. An Internet firewall will be deployed to ensure that unauthorized individuals cannot access information stored within the computer systems from outside of VEIC s computer network. 8. The Network Administrator will ensure that VEIC network infrastructure includes sufficient automated tools to assist the administrator in verifying the systems' security status. 9. Having systems in place such that all remote access to Efficiency Vermont Confidential Information over the Internet is encrypted. 10. Any removable media used to back up the electronic data and that contains copies of confidential data or information shall be stored in a physically secure (locked) location. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information