Sensitive Information Policy

HIPAA Audit Program Guide and a PCI Audit Program

Sensitive Information Policy
Includes ElectronicSensitive Information Policy Compliance Agreement Form for Easy Depolyment of Policy

With identify theft and cyber attacks on the rise, you’re facing new pressures to protect sensitive information. In fact, in 46 states have now passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
such as:

  • Implementing an information security program
  • Encrypting data
  • Notifying customers in the event of a security breach that compromises unencrypted personal information
Order Sensitive Information PolicySensitive Information policy

To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The electronic word form that is provided can be delivered electronically, completed via computer, and filed electronically.  The PCI Audit Program that is included is an additional 50 plus pages in length.

The Massachusetts and California mandated requirements were specifically included as part of the policy.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates.  (see also Nationalized ID)

You can download the Table of Contents and some sample pages by clicking on the link below.

The policy contains text that can be used immediately. For example::

General Policy Statement

The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information.  This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.

 

Order Sensitive Information PolicySensitive Information policy

 


Other Policies

The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.

We have just completed a major update of most of the individual polices and almost all of the electronic forms.

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

 


Current Information Technology News

~~~BeginItemsRecord~~~ ~~~SortByPubDate~~~


~~~ItemTitle~~~

~~~ItemPubLongDate~~~ ~~~ItemDescription~~~ - more info

~~~EndItemsRecord~~~