Sensitive and Protected Data Management Procedure



Similar documents
Media Disposition and Sanitation Procedure

Approved By: Agency Name Management

UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

CREDIT CARD PROCESSING & SECURITY POLICY

Health Insurance Portability and Accountability Act (HIPAA) Overview

REVISION: This directive supersedes TSA MD , Handling Sensitive Personally Identifiable Information, dated March 13, 2008.

8.03 Health Insurance Portability and Accountability Act (HIPAA)

BUSINESS POLICY. TO: All Members of the University Community 2012:12. CREDIT CARD PROCESSING AND SECURITY POLICY (Supersedes Policy 2009:05)

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

The Design Society. Information Security Policy

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

LSE PCI-DSS Cardholder Data Environments Information Security Policy

31-R-11 A RESOLUTION ADOPTING THE CITY OF EVANSTON IDENTITY PROTECTION POLICY. WHEREAS, The Fair and Accurate Credit Transactions Act of 2003,

SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY

BRIDGEVALLEY COMMUNITY & TECHNICAL COLLEGE OPERATING POLICY

Western Oregon University Information Security Manual v1.6

A Guide to Benedictine College and Identity Theft

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Credit Card Processing and Security Policy

. Merchant Accounts are special bank accounts issued by a merchant. . Merchant Level: This classification is based on transaction volume.

Privacy Data Loss. Privacy Data Loss. Identity Theft. The Legal Issues

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties

How To Protect Research Data From Being Compromised

E-Travel Initiative Electronic Data Systems (EDS) FedTraveler.com

PHI- Protected Health Information

TERMINAL CONTROL MEASURES

Department of Health and Human Services Policy ADMN 004, Attachment A

The University of North Carolina at Charlotte Identity Theft Prevention Program

Information Security Policy

About this Tool Information Security for Residents...

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

CITY UNIVERSITY OF HONG KONG. Information Classification and

Other terms are defined in the Providence Privacy and Security Glossary

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

HIPAA Awareness Training

Ferris State University

Statement of Policy. Reason for Policy

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Information Security Policy

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

SUMMARY: The Office of the Secretary of Defense proposes to. alter a system of records notice DPFPA 02, entitled Pentagon

College of DuPage Information Technology. Information Security Plan

HIPAA Employee Training Guide. Revision Date: April 11, 2015

Network and Workstation Acceptable Use Policy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Order. Directive Number: IM Stephen E. Barber Chief Management Officer

These rules became effective August 1, 2009, and require certain agencies to implement an identity theft program and policy.

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

Policy Scope: The policy applies across the Division to all DPH workgroups who maintain, use, have access to, or come into contact with IIHI.

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

MCPHS IDENTITY THEFT POLICY

SUPREME COURT OF COLORADO OFFICE OF THE CHIEF JUSTICE

Information Security Plan effective March 1, 2010

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

BERKELEY COLLEGE DATA SECURITY POLICY

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

WAKE FOREST BAPTIST MEDICAL CENTER POLICY AND PROCEDURE BULLETIN. Security and Protection of Medical Records in Paper Form

Model Identity Theft Policy and Adopting Resolution

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Policy & Procedures for Credit Card Merchants

ACCEPTING PAYMENT CARDS FOR CONDUCTING UNIVERSITY BUSINESS:

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Personnel Files and Safeguarding Sensitive Data. Office of Human Resources August 2008

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

OREGON IDENTITY THEFT RANKING BY STATE: Rank 20, 68.1 Complaints Per 100,000 Population, 2552 Complaints (2007) Updated January 10, 2009

Red Flag Identity Theft Financial Policy 1.10

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

THE LUTHERAN UNIVERSITY ASSOCIATION, INC. d/b/a Valparaiso University IDENTITY THEFT PREVENTION PROGRAM

Computing Services Information Security Office. Security 101

OFFICE OF CHIEF COUNSEL OPERATION R.E.D. GUIDANCE

University Policy Accepting and Handling Payment Cards to Conduct University Business

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

National Archives and Records Administration

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Privacy Impact Assessment of Automated Loan Examination Review Tool

INFORMATION SECURITY GUIDELINES

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Payment Card Industry Data Security Standard

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

HIPAA Training for Hospice Staff and Volunteers

Covered Areas: Those EVMS departments that have activities with Covered Accounts.

Data Management Policies. Sage ERP Online

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

PCI Data Security and Classification Standards Summary

Please use your cell phone to access this website: pollev.com/ucsfprivacy

PII = Personally Identifiable Information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Transcription:

Sensitive and Protected Data Management Procedure

Revision History Version Date Editor Nature of Change 1.0 11/14/06 Kelly Matt Initial Release

Table of Contents 1.0 Overview... 1 2.0 Purpose... 1 3.0 Scope... 1 4.0 Protected Data... 1 5.0 Hard Copy Data... 1 5.1 Storage... 1 5.2 Transport... 1 6.0 Electronic Data... 1 6.1 Storage... 1 6.2 Transport... 2 7.0 Disposal... 2 7.1Physical... 2 7.2 Digital... 2 8.0 Enforcement... 2 9.0 Related Policies, Procedures, and Codes of Conduct.... 2

1.0 Overview All individuals who access the University of Northern Colorado s computing infrastructure have a responsibility to safeguard data. This procedure establishes the rules by which protected data should be managed and used within the University. 2.0 Purpose This document aids in establishing clear guidelines for managing protected data. 3.0 Scope This Procedure applies to employees, contractors, consultants, temporary employees, and other workers at UNC including all personnel affiliated with third parties. 4.0 Protected Data All Personally Identifiable Data (PII) which includes but is not limited to any data protected under a federal or state statute is considered protected data. This includes but is not limited to Family Educational Rights and Privacy Act (FERPA) protected data and Colorado HB 03-1175 protected data. In addition credit card numbers, expiration dates, and Card Verification Value (CVV) are also considered protected data. 5.0 Hard Copy Data Hard Copy data is defined as data that is not stored in electronic form. This includes printed material in any form. Reports, Rosters, Extracts. This also includes credit card receipts and carbons 5.1 Storage Protected data in hard copy format, when not attended or in used should be stored in a secure location such as a locked drawer or file cabinet. Do not leave protected data in out in the open for example on desk or printers. 5.2 Transport When transporting protected data make sure that the data is obscured from plain sight. Use sealed envelopes for both external and interoffice mail when protected data is involved. 6.0 Electronic Data Electronic data is data that is stored in electronic format, regardless of storage media. This includes but is not limited to the following: Network Drives Local hard Drives Laptops PDA Thumb drives Regardless of where the data exists the following guidelines should be followed for all protected data. 6.1 Storage Protected data should be stored on secure UNC IT managed devices only. Protected electronic data should not be transferred to an individual s personal computing equipment or to a non-approved third party. Protected data that exists outside approved systems such as Banner must be stored using the UNC approved document management system, Window Rights Management (WRM). Efforts should be taken to protect data in approved data stores such as encrypting various fields to limit the usefulness of data if systems are compromised. Page 1

6.2 Transport When protected data is transported electronically UNC IT approved encryption methods should be used. At present this includes Secure Sockets Layer (SSL) encryption and WRM. SSL is commonly used in web applications and WRM can be used to encrypt Microsoft office files and email. Do not transport any protected data within or outside the university with out utilizing one of these encryption technologies. This includes email, FTP or any other method of electronic transport. 7.0 Disposal Media disposition is a key element in assuring data confidentiality. Confidentiality is the ability to restrict access to information based on the value of the information. This includes protecting personally identifiable information. In order to provide appropriate controls on the information we are responsible for safeguarding, we must properly safeguard media in all forms. 7.1Physical When disposing of protected data in physical hard copy format please ensure that you are adhering to the following guidelines: Place all protected in the appropriate locked and protected bin. Do not stuff or over fill bins. If bins are not available or data is highly sensitive cross-cut shred immediately 7.2 Digital When disposing of protected data in electronic format please ensure that you are adhering to the following guidelines: Purge, degauss, shred, or physically destroy electronic media so that protected data cannot be reconstructed. To facilitate secure disposition of electronic media UNC Information Technology provides a secure drop service in the basement of Carter Hall at the operator s window. Individuals can bring digital media to this area and for secure disposal. For more detailed information on appropriate information and media disposition please see the Media Disposition and Sanitation Procedure. 8.0 Enforcement Any person found in violation of Federal, State law or University policy, regulation or procedures is subject to loss of privileges, disciplinary action, personal liability and /or criminal prosecution. The University may block access to or remove a network connection that is endangering computing and or network resources or that is being used for inappropriate or illegal use. Information Technology will work with the Dean of Students, the UNC Police the academic deans and directors and others to enforce this policy. 9.0 Related Policies, Procedures, and Codes of Conduct. All applicable laws and University policies, regulations and procedures bind UNC students and employees. UNC Acceptable User Regulation: Media Disposition and Sanitation Procedure: Page 2

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information