Sensitive Information Policy

Updated to meet the latest mandated standards Including GDPR
comes in MS WORD, PDF, and ePub formats

Electronic Sensitive Information Policy Compliance Agreement Form Included for Easy Deployment of Policy

Includes User Bill of Rights for Sensitive Data and Privacy and
Definition of US Government Security Classification System

Sensitive Information Policy - PrivacyWith identify theft and cyberattacks on the rise, you're facing new pressures to protect sensitive information. In fact, in 46 states have passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
such as:

  • Implementing an information security program
  • Encrypting data
  • Notifying customers in the event of a security breach that compromises unencrypted personal information

To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.

Order Sensitive Information Policy  Download Selected Pages  Version History

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 443 pages in length and complies with GDPR, Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The electronic word form that is provided can be delivered electronically, completed via computer, and filed electronically. The PCI Audit Program that is included is an additional 50 plus pages in length.

Also included are three (3) key job descriptions.

  • Chief Security Officer (CSO)
  • Manager Data Security
  • Security Architect

The Massachusetts and California mandated requirements were specifically included as part of the policy.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. on-line processing, outsourced to a third party, Internet, Intranet or swipe terminals).

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. (see also Nationalized ID)

The policy contains text that can be used immediately. For example::

General Policy Statement

The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. on-line processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.

You can download the Table of Contents and some sample pages by clicking on the link below.

Order Sensitive Information Policy  Download Selected Pages  Version History


Other Policies

Read On Infrastructure Policies