Information Security Policy

Similar documents
THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

Key Steps for Organizations in Responding to Privacy Breaches

VCU Payment Card Policy

Process for Responding to Privacy Breaches

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Identity Theft Prevention Program (ITPP) under the FTC FACTA Red Flags Rule PROCEDURES DOCUMENT. I. Purpose/Scope... 1

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

Personal Data Security Breach Management Policy

Plus500CY Ltd. Statement on Privacy and Cookie Policy

GUIDANCE FOR BUSINESS ASSOCIATES

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Sources of Federal Government and Employee Information

Data Protection Policy & Procedure

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

Audit Committee Charter

First Global Data Corp.

Credit Work Group Recommendation

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Data Protection Act Data security breach management

DisplayNote Technologies Limited Data Protection Policy July 2014

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Directives to LHINs in respect of Reporting Requirements under the BPSAA. Issued By Minister of Health and Long-Term Care

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

Malpractice and Maladministration Policy

General Records Authority 33. Accredited Training

How To Ensure Your Health Care Is Safe

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

THIRD PARTY PROCUREMENT PROCEDURES

Purpose Statement. Objectives

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

CORPORATE CREDIT CARD POLICY

WORKPLACE INJURY/ILLNESS/INCIDENT INVESTIGATION & REPORTING POLICY (BC VERSION)

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

DATA REQUEST GUIDELINES

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

We will record and prepare documents based off the information presented

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

NHVAS Mass Management Spot Check Checklist

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF UPLAND SOFTWARE, INC.

TITLE: Supplier Contracting Guidelines Process: FIN_PS_PSG_050 Replaces: Manual Sections 6.4, 7.1, 7.5, 7.6, 7.11 Effective Date: 10/1/2014 Contents

ERISA Compliance FAQs: Fiduciary Responsibilities

Process of Setting up a New Merchant Account

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

GOVERNORS PHARMACY HIPAA NOTICE OF PRIVACY PRACTICES For Your Protected Health Information

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

Corporate Credit Card Policy

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

expertise hp services valupack consulting description security review service for Linux

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

Internet and Social Media Solicitations: Wise Giving Tips

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

State Fleet Card Oversight Usage and Responsibilities

All Harvard University schools, tubs, local units, Affiliate Institutions, Allied Institutions and University-wide Initiatives.

Accessible Service Policy

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Legal Issues Bulletin

Preventing Identity Theft

Symantec User Authentication Service Level Agreement

FREQUENTLY ASKED QUESTIONS ON THE EUCOMED ETHICAL BUSINESS LOGO

Peratr Accreditatin and Services in Queensland

Online Banking Agreement

Creating an Ethical Culture and Protecting Your Bottom Line:

New York Institute of Technology Faculty and Staff Retention Policy

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

7 October Re: Themed Inspection into Third Party Personal Injury Claims. Dear

Bl$wing the Whistle $n the New Whistlebl$wer Pr$tecti$ns Created by the D$dd-Frank Act. By: Michael James L$mbardin$

Corporate Standards for data quality and the collation of data for external presentation

Bill Payment Agreement & Disclosures

How To Write An Ehsms Training, Awareness And Competency Procedure

NSW FAIR TRADING. Real Estate Fraud Prevention Guidelines

Houston Controls, Inc Safety Management System

Systems Support - Extended

Privacy Breach and Complaint Protocol

Transcription:

Purpse The risk t Charlestn Suthern University, its emplyees and students frm data lss and identity theft is f significant cncern t the University and can be reduced nly thrugh the cmbined effrts f every emplyee and cntractr. Charlestn Suthern University adpts this sensitive infrmatin plicy t help prtect emplyees, students, cntractrs and the University frm damages related t the lss r misuse f sensitive infrmatin. This plicy will: 1. Define sensitive infrmatin; 2. Describe the physical security f data when it is printed n paper; 3. Describe the electrnic security f data when stred and distributed; and 4. Place the University in cmpliance with federal law regarding identity theft prtectin. This plicy enables the University t prtect students and emplyees, reducing risk frm identity fraud, and minimize ptential damage t the University. The prgram will help Charlestn Suthern University: 1. Identify risks that signify ptentially fraudulent activity within new r existing cvered accunts; 2. Detect risks when they ccur in cvered accunts; 3. Respnd t risks t determine if fraudulent activity has ccurred and act if fraud has been attempted r cmmitted; and 4. Update the prgram peridically, including reviewing the accunts that are cvered and the identified risks that are part f the prgram. Scpe This plicy and prtectin prgram applies t emplyees (including student wrkers), vlunteers, cntractrs, cnsultants, temprary wrkers, and ther wrkers at Charlestn Suthern University, including all persnnel affiliated with third parties. Sensitive Infrmatin Plicy Definitin f Sensitive Infrmatin "Sensitive Infrmatin" refers t the facts, data, r knwledge itself regardless f the medium f its cnveyance. Therefre, dcuments are deemed t cnvey r cntain infrmatin and are nt cnsidered t be infrmatin per se. Sensitive Infrmatin is t be categrized in ne f the fllwing classificatins: Business Sensitive Persnnel Sensitive Attrney-Client Privileged Other Written 2/15/09 Page 1

Fr infrmatin t be cnsidered "Sensitive Infrmatin", the infrmatin must have the ptential t damage the University s interests, r an individual s private interests if disseminated t r btained by persns wh d nt need the infrmatin t perfrm their jbs r ther University-authrized activities. Infrmatin that is available in the public dmain is generally nt cnsidered t be Sensitive Infrmatin. The fllwing are the categries and examples f Sensitive Infrmatin in use at the University. Business Sensitive Infrmatin The fllwing are examples f the ptential types f Business Sensitive infrmatin in use within the University: Nte; this infrmatin may be the result f the University s wn business activities; it may have been prvided by a vendr r sub-cntractr, r a cmbinatin theref: Cmmercial/prprietary infrmatin generally cncerns infrmatin such as trade secrets, business plans, financial r cst data received frm a cmpany ding business r cntemplating business with the University. Persnal statements r dcuments supplied by cntractrs in the curse f inspectins, reviews, site visits, investigatins, r audits when such infrmatin is received in cnfidence shuld als be maintained as Business Sensitive Infrmatin. Infrmatin prduced by the University in the perfrmance f wrk (basic research, Cperative Research and Develpment Agreements, etc.) may be cnsidered prprietary by the University, r a vendr r subcntractr t the University and cnsequently be Business Sensitive Infrmatin. Als, privileged infrmatin such as the University s acquisitin/evaluatin plans, and results f evaluatins and audits shuld be maintained as Business Sensitive Infrmatin. Intellectual prperty, cntract negtiatin infrmatin, prcurement data, and research and develpment infrmatin cnsidered prprietary are als t be cnsidered Business Sensitive Infrmatin. Pre-decisinal infrmatin invlving internal University business cmmunicatins r plans that have nt been published r determined t be final may als be defined as Business Sensitive Infrmatin. Persnnel Sensitive Infrmatin Persnnel Sensitive Infrmatin includes persnnel and medical files and similar files whse disclsure wuld cnstitute a clear unwarranted invasin f privacy. Examples include emplyee payrll data, tax reprts and payments, payments fr emplyee benefit and welfare plans, travel related csts and infrmatin, emplyee perfrmance infrmatin and medical recrds. Nte; this infrmatin usually falls under the prtectin f the Privacy Act f 1974. Persnally Identifiable Infrmatin, such as a date f birth, Scial Security Accunt Number r a driver s license number, is classified as Persnnel Sensitive Infrmatin. Attrney-Client Privileged Infrmatin Attrney-client privileged infrmatin r wrking papers prepared by an attrney in cntemplatin f litigatin. Cntact the University s legal cunsel fr instructins befre Written 2/15/09 Page 2

creating r accepting any infrmatin that may be cnsidered "Attrney-Client Privileged Infrmatin." Other The University may receive Sensitive Infrmatin frm ther entities, such as vendrs, subcntractrs, r ther business partners. Staff shuld always remember that the University is respnsible fr maintaining the same level f security fr Sensitive Infrmatin delivered by an external surce as is maintained fr Sensitive Infrmatin develped frm within the University. University persnnel are encuraged t use cmmn sense judgment in securing cnfidential infrmatin t the prper extent. If an emplyee is uncertain f the sensitivity f a particular piece f infrmatin, he/she shuld cntact their supervisr. Hard Cpy Distributin Physical Strage - Stre dcuments and cmputer media in apprpriate receptacles (Department grups shuld determine the level f prtectin required fr specific dcuments, i.e., fire prf safes, lcked files r desk drawers, etc.). Lcking the ffice alne is nt adequate. Dcument Destructin - When dcuments cntaining sensitive infrmatin are discarded they will be placed inside a lcked shred bin r immediately shredded using a mechanical crss cut shredding device. University recrds, hwever, may nly be destryed in accrdance with the University s recrds retentin plicy. Lcked Offices - Offices cntaining Sensitive Infrmatin shall be lcked whenever the ffice is vacated and at the end f each business day. Visitr Cntrl - Staff shuld be vigilant t ensure that visitrs (including cntractrs) cannt access Sensitive Infrmatin. Electrnic Distributin Each emplyee and cntractr perfrming wrk fr Charlestn Suthern University will cmply with the plicies set frth in the Infrmatin Technlgy Security Plicy and the GLB Security Plan, bth f which are psted n the University website at http://www.csuniv.edu/adminservices/dcs/. Additinal Identity Theft Preventin Prgram Cvered accunts A cvered accunt includes any accunt that invlves r is designed t permit multiple payments r transactins. Every new and existing custmer accunt that meets the fllwing criteria is cvered by this prgram: 1. Accunts fr which there is a reasnably freseeable risk f identity theft; r 2. Accunts fr which there is a reasnably freseeable risk t the safety r sundness f the University frm identity theft, including financial, peratinal, cmpliance, reputatin, r litigatin risks. Written 2/15/09 Page 3

Red flags The fllwing red flags are ptential indicatrs f fraud. Any time a red flag, r a situatin clsely resembling a red flag, is apparent, it shuld be investigated fr verificatin. 1. Alerts, ntificatins r warnings frm a cnsumer reprting agency; 2. A fraud r active duty alert included with a cnsumer reprt; 3. A ntice f credit freeze frm a cnsumer reprting agency in respnse t a request fr a cnsumer reprt; r 4. A ntice f address discrepancy frm a cnsumer reprting agency as defined in 334.82(b) f the Fairness and Accuracy in Credit Transactins Act. 5. Red flags als include cnsumer reprts that indicate a pattern f activity incnsistent with the histry and usual pattern f activity f an applicant r custmer, such as: A recent and significant increase in the vlume f inquiries; An unusual number f recently established credit relatinships; A material change in the use f credit, especially with respect t recently established credit relatinships; r An accunt that was clsed fr cause r identified fr abuse f accunt privileges by a financial institutin r creditr. 6. Suspicius dcuments Dcuments prvided fr identificatin that appears t have been altered r frged. The phtgraph r physical descriptin n the identificatin is nt cnsistent with the appearance f the applicant r custmer presenting the identificatin Other infrmatin n the identificatin is nt cnsistent with infrmatin prvided by the persn pening a new cvered accunt r custmer presenting the identificatin Other infrmatin n the identificatin is nt cnsistent with readily accessible infrmatin that is n file with Charlestn Suthern University 7. Suspicius persnal identifying infrmatin Persnal identifying infrmatin prvided is incnsistent when cmpared against external infrmatin surces used by Charlestn Suthern University. Fr example The address des nt match any address in the cnsumer reprt The Scial Security number (SSN) has nt been issued r is listed n the Scial Security Administratin s Death Master File; r Persnal identifying infrmatin prvided by the custmer is nt cnsistent with ther persnal identifying infrmatin prvided by the custmer. Fr example, there is a lack f crrelatin between the SSN range and date f birth. Persnal identifying infrmatin prvided is assciated with knwn fraudulent activity as indicated by internal r third-party surces used by Charlestn Suthern University. Fr example, the address n a dcument submissin is the same as the address prvided n a fraudulent dcument. Persnal identifying infrmatin prvided is f a type cmmnly assciated with fraudulent activity as indicated by internal r third-party surces used by Charlestn Suthern University. Fr example: The address n a dcument is fictitius, a mail drp, r a prisn; r The phne number is invalid r is assciated with a pager r answering service. The SSN prvided is the same as that submitted by anther student. The address r telephne number prvided is the same as r similar t the address r Written 2/15/09 Page 4

telephne number submitted by an unusually large number f ther students. The student fails t prvide all required persnal identifying infrmatin n an applicatin r in respnse t ntificatin that the applicatin is incmplete. Persnal identifying infrmatin prvided is nt cnsistent with persnal identifying infrmatin that is n file with Charlestn Suthern University. When using security questins (mther s maiden name, pet s name, etc.), the persn pening the cvered accunt r the custmer cannt prvide authenticating infrmatin beynd that which generally wuld be available frm a wallet r cnsumer reprt. 8. Unusual use f, r suspicius activity related t, the cvered accunt Shrtly fllwing the ntice f a change f address fr a cvered accunt, Charlestn Suthern University receives a request fr a replacement check. A cvered accunt that has been inactive fr a reasnably lengthy perid f time is used (taking int cnsideratin the type f accunt, the expected pattern f usage and ther relevant factrs). Mail sent t the custmer is returned repeatedly as undeliverable althugh transactins cntinue t be cnducted in cnnectin with the custmer s cvered accunt. Charlestn Suthern University receives ntice frm students, victims f identity theft, law enfrcement authrities, r ther persns regarding pssible identity theft in cnnectin with cvered accunts held by the University. Respnding t Red Flags Once ptentially fraudulent activity is detected, an emplyee must act quickly as a rapid apprpriate respnse can prtect students and Charlestn Suthern University frm damages and lss. 1. Once ptentially fraudulent activity is detected, gather all related dcumentatin and write a descriptin f the situatin. Present this infrmatin t the designated authrity in yur area fr determinatin. 2. The designated authrity will cmplete additinal authenticatin, using utside surces such as banks, credit card issuers, etc., where apprpriate, t determine whether the attempted transactin was fraudulent r authentic. If a transactin is determined t be fraudulent, apprpriate actins must be taken immediately. Actins may include: 1. Canceling the transactin; 2. Ntifying and cperating with apprpriate law enfrcement; 3. Determining the extent f liability f Charlestn Suthern University; and 4. Ntifying the actual student that fraud has been attempted. Peridic Updates T Plan Annually, prgram will be re-evaluated by the Vice President fr Business and the Chief Infrmatin Officer t determine whether all aspects f the prgram are up t date and applicable in the current business envirnment. Such reviews will include an assessment f which accunts are cvered by the prgram, listing f red flags, actin t take in event f fraudulent activity. Written 2/15/09 Page 5

Prgram Administratin The Infrmatin Security Plicy warrants the highest level f attentin and s adptin f such a plicy is the respnsibility f the gverning bdy. Operatinal respnsibility f the prgram is delegated t the senir administratin fr their respective areas f authrity. Senir administratin shall maintain a listing f all emplyees, fficials and cntractrs fr whm it is reasnably freseeable that they may cme int cntact with accunts r persnally identifiable infrmatin that may cnstitute a risk t Charlestn Suthern University r its students, Distribute t such persns a cpy f this plicy, Obtain frm each such persn a signed statement indicating that they have read, understand and agree t abide by this plicy. Oversight f service prvider arrangements It is the respnsibility f Charlestn Suthern University t ensure that the activities f all service prviders are cnducted in accrdance with reasnable plicies and prcedures designed t detect, prevent, and mitigate the risk f identity theft. A service prvider that maintains its wn identity theft preventin prgram, cnsistent with the guidance f the red flag rules and validated by apprpriate due diligence, may be cnsidered t be meeting these requirements. This plicy will take effect immediately upn its apprval by the University Bard f Trustees. Written 2/15/09 Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information