OIT OPERATIONAL PROCEDURE



Similar documents
University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Client Security Risk Assessment Questionnaire

Virginia Commonwealth University School of Medicine Information Security Standard

Small Business IT Risk Assessment

Achieving PCI-Compliance through Cyberoam

PCI DSS Requirements - Security Controls and Processes

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

U06 IT Infrastructure Policy

You Can Survive a PCI-DSS Assessment

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Payment Card Industry Self-Assessment Questionnaire

Supplier Information Security Addendum for GE Restricted Data

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

Retention & Destruction

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

ADM:49 DPS POLICY MANUAL Page 1 of 5

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

How To Write A Health Care Security Rule For A University

Best Practices For Department Server and Enterprise System Checklist

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Observations from the Trenches

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

Information Security Policy

CHIS, Inc. Privacy General Guidelines

Information Security Policy

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Vendor Audit Questionnaire

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

SonicWALL PCI 1.1 Implementation Guide

Procedure Title: TennDent HIPAA Security Awareness and Training

plantemoran.com What School Personnel Administrators Need to know

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

CONTENTS. PCI DSS Compliance Guide

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

UF IT Risk Assessment Standard

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

BERKELEY COLLEGE DATA SECURITY POLICY

Document No.: VCSATSP Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Access Policy

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Central Agency for Information Technology

DRAFT Standard Statement Encryption

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Information Security Program Management Standard

Information Security Policy

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Altius IT Policy Collection Compliance and Standards Matrix

PCI Data Security and Classification Standards Summary

74% 96 Action Items. Compliance

H.I.P.A.A. Compliance Made Easy Products and Services

Firewall and Router Policy

Payment Card Industry Compliance

Information Security Plan

Network Segmentation

CITY UNIVERSITY OF HONG KONG. Information Classification and

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Fortinet Solutions for Compliance Requirements

Wellesley College Written Information Security Program

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

Payment Card Industry (PCI) Compliance. Management Guidelines

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

A Rackspace White Paper Spring 2010

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Policies and Procedures

Copyright Telerad Tech RADSpa. HIPAA Compliance

CREDIT CARD SECURITY POLICY PCI DSS 2.0

Standard: Network Security

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

Statement of Policy. Reason for Policy

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Information Technology Branch Access Control Technical Standard

Transcription:

OIT OPERATIONAL PROCEDURE Title: DATA CLASSIFICATION GUIDELINES Identification: OIT 1 Page: 1 of 5 Effective Date: 3/31/2014 Signature/Approval: Guidelines and Handling Procedure (9 10 ) specifies that data collected by the College must be assigned to one of the three categories; Restricted, Sensitive and. Data Owners are responsible for classifying the data in appropriate category. Initial Classification of Data The table below lists some of the data elements used by different departments within the college and have classification mandated due to federal or state laws. Data owners can use the table below for initial classification within their area of responsibility. Data Data Owner Justification Social Security Numbers Restricted VP, Student Services FS 817.5681 Student records (non-directory) Restricted VP, Student Services FERPA Credit card cardholder data Restricted VP, Business Services PCI, FS 817.5681 Driver License Number Restricted VP, Student Services FS 817.5681 Race/Gender Restricted VP, Student Services Individually Identifiable Information Restricted VP, Student Services FS 817.5681 Disability Information Restricted VP, Student Services HIPAA Patient Billing Records Restricted VP Academic Affairs HIPAA Patient Medical Records Restricted VP, Academic Affairs HIPAA Employee Information Sensitive Executive Director, HR Employee Privacy College Directory College Policies and Procedures Course Catalog Websites

Identification: OIT 1 Page: 2 of 5 Effective Date: 3/31/2014 Data Handling Requirements All users are responsible for following the controls based on classification of the data. The table below lists the controls for the data based on classification of data. Tier 3- Access Controls Viewing - No restriction Modifications - Authorization by Data Owner or designee Viewing and modification - Restricted to authorized individuals as needed for business-related roles; Data Owner or designee grants permission for access, plus approval from supervisor Authentication and authorization for access Viewing and modification - Restricted to authorized individuals as needed for business-related roles; Data Owner or designee grants permission for access, plus approval from supervisor Authentication and authorization for access Confidentiality agreement Copying/Printing No restrictions Data should only be printed when there is a legitimate need Copies must be limited to individuals with a need to know Data should not be left on a printer/fax May be sent via Campus Mail Data should only be printed when there is a legitimate need Copies must be limited to individuals authorized to access the data and have signed a confidentiality agreement Data should not be left on a printer/fax Copies must be labeled Confidential ; must be sent via Confidential envelope

Identification: OIT 1 Page: 3 of 5 Effective Date: 3/31/2014 Tier 3- Network Security May reside on a public network; Protection with a firewall Protection only with router ACLs acceptable Protection with a network firewall Protection with router ACLs acceptable Servers hosting the data should not be visible to entire Internet, nor to unprotected subnets like guest wireless networks May be in a shared network server subnet with a common firewall ruleset for the set of servers Protection with a network firewall using "default deny" ruleset Protection with router ACLs Servers hosting the data cannot be visible to the entire Internet, nor to unprotected subnets like guest wireless networks Must have a firewall ruleset dedicated to the system The firewall ruleset should be reviewed periodically System Security Must follow general best practices for system firewall Must follow OS-specific best practices for system firewall. IDS/IPS Must follow OS-specific best practices for system firewall ; Hostbased software IDS/IPS Virtual Environments Should not share the same virtual host environment with guest virtual servers of other security classifications Cannot share the same virtual host environment with guest virtual servers of other security classifications

Identification: OIT 1 Page: 4 of 5 Effective Date: 3/31/2014 Tier 3- Physical Security Hosted in a secure location ; a Secure Data Center is Hosted in a Secure Data Center Physical access must be monitored, logged, and limited to authorized individuals 24x7 Remote Access to systems hosting the data No restrictions Access restricted to local network or VPN Remote access by third party for technical support limited to authenticated, Temporary access via secure protocols over the Internet Restricted to local network or secure VPN group Unsupervised remote access by third party for technical support not allowed Two-factor authentication Data Storage Storage in a secure Data Center Storage in a secure Data Center Should not store on an individual's workstation or a mobile device Storage in Secure Data Center Should not store on an individual workstation or mobile device (e.g., a laptop computer); if stored on a workstation or mobile device, must use whole-disk encryption Encryption on backup media Paper/hard copy: do not leave where others may see it otherwise, it must be stored in a secure location

Identification: OIT 1 Page: 5 of 5 Effective Date: 3/31/2014 Tier 3- Transmission No restrictions No requirements Encryption (for example, via SSL or secure file transfer protocols) Cannot transmit via e-mail unless encrypted and secured with a digital signature Backup/Disaster Recovery Backups ; daily backups Daily backups Off-site storage Daily backups Off-site storage in a secure location Media Sanitization and Disposal (hard drives, CDs, DVDs, tapes, paper, etc.) No restrictions Recycle Reports. Wipe/erase media Shred reports Destruction of electronic media Training Data security training Data security training Applicable policy and regulation training Auditing Not needed Logins Logins, access and changes Mobile Devices. Encryption

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information