Critical Data Guide. A guide to handling critical information at Indiana University



Similar documents
IT04 UO ACH Security Policy

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Why Lawyers? Why Now?

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

PII Personally Identifiable Information Training and Fraud Prevention

HIPAA Security Alert

HIPAA Privacy & Security Rules

College of DuPage Information Technology. Information Security Plan

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Data Privacy: What your nonprofit needs to know. Donna Balaguer and Ed Lavergne Washington, D.C. February 5, 2015

Miami University. Payment Card Data Security Policy

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

California State University, Sacramento INFORMATION SECURITY PROGRAM

Montclair State University. HIPAA Security Policy

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Cyber Self Assessment

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

PHI- Protected Health Information

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

FINAL May Guideline on Security Systems for Safeguarding Customer Information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Information Security Policy

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Please use your cell phone to access this website: pollev.com/ucsfprivacy

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Overview of the HIPAA Security Rule

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

DRAFT IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) Asset Management Policy #2430

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

HIPAA ephi Security Guidance for Researchers

Privacy and Security Protecting Personal Information Kim Hart and Bill Trott

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Information Technology

Dartmouth College Merchant Credit Card Policy for Processors

plantemoran.com What School Personnel Administrators Need to know

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Approved By: Agency Name Management

April Todd-Malmlov, Executive Director. Michael Turpin, General Counsel. DATE: September 19, Broker Roster Incident Response Details

Information Security Policy Manual

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

Wellesley College Written Information Security Program

HIPAA Compliance Annual Mandatory Education

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

TERMINAL CONTROL MEASURES

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

HIPAA Security COMPLIANCE Checklist For Employers

Solutions Brief. PC Encryption Regulatory Compliance. Meeting Statutes for Personal Information Privacy. Gerald Hopkins Cam Roberson

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

Information Security Policy

Credit Card Processing and Security Policy

Newcastle University Information Security Procedures Version 3

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

HIPAA Information Security Overview

HIPAA Security Series

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

OCR UPDATE Breach Notification Rule & Business Associates (BA)

2. Begin gathering necessary documents for student (refer to Record Acknowledgement Form)

HIPAA and Health Information Privacy and Security

Credit Card Security

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards

b. USNH requires that all campus organizations and departments collecting credit card receipts:

Credit and Debit Card Handling Policy Updated October 1, 2014

HIPAA Training for Staff and Volunteers

The Design Society. Information Security Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

8.03 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Training for Hospice Staff and Volunteers

HIPAA Risk Assessments for Physician Practices

Huddersfield New College Further Education Corporation

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

PCI DSS Requirements - Security Controls and Processes

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Information Security Policy

Healthcare Compliance Solutions

Transcription:

Critical Data Guide A guide to handling critical information at Indiana University

What is critical information? IU defines critical information as sensitive data requiring the highest level of protection. This includes: Social Security numbers (SSNs) Financial account information Identifiable health information Passwords, passphrases, and access codes Student records Unauthorized disclosure of critical information could result in criminal or civil penalties, identity theft, and financial loss. Data collection & retention Collection First, determine if you really need the information. If it is vital to your project, try to make it less sensitive: Collect only the last four digits of SSNs Convert SSNs to university ID numbers Remove critical information from spreadsheets before creating reports Other tips: Consult with your departmental IT Pro (kb.iu.edu/data/baxq.html) or data steward to ensure proper handling Notify individuals in writing that you are collecting their data and get their consent (if appropriate) Periodically review internal decision and protection measures Retention Securely destroy information when you no longer need it. For details on university retention requirements, see University Records retention and disposition schedules [libraries.iub.edu/retention-and-disposition-schedules].

Storing critical data You don t need to store information locally if the university maintains the same information elsewhere. If possible, access the information from its primary source with the following in mind: Use SSH, VPN, remote desktop, or other methods using strong cryptography Make sure your mobile device meets IU s Mobile Device Security Standard [https://protect.iu.edu/cybersecurity/policies/it12/12.1] Use a secure storage location Electronic records: Do not store critical information on any personal device, including storage drives, mobile media, or USB drive, or media unless. All information must be: Professionally secured (encrypted) Approved for storage by your senior executive officer or the Institutional Review Board Paper records: Keep these in locked file cabinets/storage rooms or areas with access control. If stored in a shared location (e.g., University Archives), ensure that they are not accessible to others. Safeguards See Secure File Transfer Alternatives [http://protect.iu.edu/cybersecurity/ secure-file-transfer-alternatives] for information on transmitting encrypted critical information Tips: Always log off or lock your workstation when you step away Comply with the PCI Data Security Standard (PCI DSS) for card payment data storage Comply with HIPAA for electronic personal health information (e-phi) storage Use & transmission Critical information should only be used for one purpose: conducting university business. Report any misuse to the appropriate authorities [protect.iu.edu/ cybersecurity/incident].

Transmission by hand Use authorized couriers (list maintained by IU Purchasing) Require a signature from the recipient Provide a full address for the recipient, not a P. O. Box Keep your shipping documentation, including the tracking number Use tamper-evident packaging to protect information from unauthorized disclosure Transmission electronically Use an encrypt transmit method. If this isn t possible, encrypt the file before sending. Other tips: Consider Slashtmp [https://slashtmp.iu.edu] Comply with PCI DSS for card payment data Comply with HIPAA for e-phi Code secure websites and transmit data over a secure channel [kb.iu.edu/data/ahuq.html] Sites used for research may need to comply with HIPAA, CFR part 11, or FISMA For other data protection methods, see Secure File Transfer Alternatives [http://protect.iu.edu/cybersecurity/secure-file-transfer-alternatives]. Encryption assistance How does encryption protect information? Keys encrypt information. Only the person with access to the correct key can decrypt information. Methods of encryption Encryption typically applies to two different scenarios: Encrypting data at rest (while it s being stored) Encrypting data in transit (while it s being transmitted) Encryption tools: stored information Encryption explained [protect.iu.edu/cybersecurity/data/encryption] What is PGP? [protect.iu.edu/tools/pgp] What is BitLocker? [kb.iu.edu/data/avjz.html] What is True Crypt? [kb.iu.edu/data/auhm.html]

Encryption tools: transmitted information Secure File Transfer Alternatives [protect.iu.edu/cybersecurity/secure-filetransfer-alternatives] What is SFTP? [kb.iu.edu/data/akqg.html] What is Slashtmp, and how do I use it? [kb.iu.edu/data/angt.html] Searching & inventorying Searching for critical information Make sure you aren t unknowingly storing critical information with tools such as Identity Finder. The IU-licensed tool searches for, protects, and securely disposes of certain critical information elements stored on your computer, file shares, or external media. Download it at no cost from IUware [iuware.iu.edu]. Other tips: If you find critical information, inform your departmental IT Pro and ask for assistance on secure disposal Identify where you have stored information on paper (e.g., desk or office area, file cabinets, closets, remote storage) Social Security Numbers As of 2004, IU no longer uses social security numbers for employee or student IDs. To purge those SSNs: Delete the SSN column and all SSNs in it from historical student records Look for green or blue papers and oversized white Shred unnecessary documents Move necessary records to secured storage For external payrolls or government reporting, the university ID number can be converted to the SSN Disposal, wiping, & shredding Disposal Secure disposal means deleting information in a way that is not recoverable. Never discard or leave critical information in an area accessible to the public. Deletion is not enough Most methods for file deletion, including system utilities and hard drive reformatting, only remove pointers to the actual file. They do not remove the information itself. That is why IU policy requires wiping or destroying hard drives and storage media prior to disposal or transfer outside the university.

Disk-wiping utilities Check with your departmental IT Pro for a preferred tool, or see: How can I securely wipe disk drives? [kb.iu.edu/data/auhn.html]. Hard drive and document destruction IU Surplus Data Destruction Service [www.docuserv.indiana.edu/copy/ss_data.asp] Securely removing data [http://protect.iu.edu/cybersecurity/data/secure-removal] Document destruction vendors (approved by IU Purchasing) [http://www.indiana. edu/~purchase/contract/documentstorageanddestruction/destruction.php] Sharing & disclosure Disclosure is the direct sharing or providing of critical information to a person external to IU. It can be verbal, on paper, or electronic. Disclosure can also occur if information is compromised or stolen. Authorized disclosures Disclosure is sometimes necessary, or even required by law. Contracts (reviewed by IU Purchasing) should be in place to oversee the sharing agreement. Pre-2006 contracts must be updated to include standard language. Other things to note: Some instances of disclosure include SSNs. Get express written consent from affected individuals. Documents should also state SSN disclosure. Forward requests from law enforcement (or the public under the Indiana Access to Public Records Act) to the Office of the Vice President and General Counsel All disclosures must comply with Policy DM-02 [http://policies.iu.edu/policies/ categories/information-it/data-management/dm-02.shtml]. Unauthorized disclosures Report all unauthorized disclosures immediately. 1. Call the UITS Support Center [uits.iu.edu/support] 2. Email details to: it-incident@iu.edu 3. Wait for next steps from the University Information Policy and Security Offices If the incident involves a compromised computer, do not power it off or access or alter files. This may delete important forensic data.

Resources University Information Policy Office (812) 855-UIPO protect.iu.edu/uipo uipo@iu.edu Committee of Data Stewards datamgmt.iu.edu iudata@iu.edu Information protection protect.iu.edu/cybersecurity/data Office of the VP and General Counsel (812) 855-9739 (317) 274-7460 Student Privacy and FERPA registrar.indiana.edu/ferpainfo.shtml IU Knowledge Base kb.iu.edu Online safety tips protect.iu.edu/cybersecurity/safeonline UITS Support Center uits.iu.edu/support Global Research Network Operations Center (317) 274-7788 Institutional Data Acceptable User Agreement protect.iu.edu/agreement Incident Reporting it-incident@iu.edu The Trustees of Indiana University, November 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information