Sensitive Information Policy
Updated to meet the latest mandated standards
Includes a definition of what sensitive information is
Electronic Sensitive Information Policy Compliance Agreement Form Included for Easy Depolyment of Policy
Includes User Bill of Rights for Sensitive Data and Privacy
With identify theft and cyber attacks on the rise, you're facing new pressures to protect sensitive information. In fact, in 46 states have now passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
- Implementing an information security program
- Encrypting data
- Notifying customers in the event of a security breach that compromises unencrypted personal information
To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.
The Massachusetts and California mandated requirements were specifically included as part of the policy.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. (see also Nationalized ID)
The policy contains text that can be used immediately. For example::
You can download the Table of Contents and some sample pages by clicking on the link below.
General Policy Statement
The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.
The policies have just been updated to comply with all mandated requirements and include electronic forms that can be Emailed, filled out completely on the computer, routed and stored electronically -- a total solution.
We have just completed a major update of most of the individual polices and almost all of the electronic forms.
- CIO IT Infrastructure Policy Bundle (All of the policies below are included as individual MS Word files and a single PDF file. Electronic forms are all individual documents that are easily modifiable)
- Backup and Backup Retention Policy
- Blog and Personal Web Site Policy (Includes electronic Blog Compliance Agreement Form)
- BYOD Policy Template (Includes electronic BYOD Access and Use Agreement Form)
- Google Glass Policy (Includes Google Glass Access and Use Agreement Form)
- Incident Communication Plan Policy (Updated to include social networks as a communication path)
- Internet, e-Mail, Social Networking, Mobile Device, Electronic Communications, and Record Retention Policy(Includes 5 electronic forms to aid in the quick deployment of this policy)
- Mobile Device Access and Use Policy
- Patch Management Policy
- Outsourcing and Cloud Based File Sharing Policy
- Physical and Virtual Server Security Policy
- Record Management, Retention, and Destruction Policy
- Safety Progam
- Sensitive Information Policy(HIPAA Compliant and includes electronic Sensitive Information Policy Compliance Agreement Form)
- Service Level Agreement (SLA) Policy Template with Metrics
- Social Networking Policy(includes electronic form)
- Telecommuting Policy(includes 3 electronic forms to effectively manage work at home staff)
- Text Messaging Sensitive and Confidential Information (includes electronic form)
- Travel, Electronic Meeting, and Off-Site Meeting Policy
- Wearable Device Policy
- IT Infrastructure Electronic Forms
Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing
Current Information Technology News
Email Privacy Act would require more warrants
Email Privacy Act would require more warrants by police
A bill reintroduced in the U.S. House of Representatives would require law enforcement agencies to get a warrant before they poke around users emails and other communications in the cloud that are older than 180 days.
If the Email Privacy Act becomes law, government agencies will have to obtain a warrant based on a showing of probable cause to compel service providers to disclose emails and other electronic communications of Americans, regardless of the age of the mails or the means of storage. In the original version of the legislation, the government also had to notify the person whose account is disclosed, along with a copy of the search warrant and other information, within a stipulated period.more info
Tech focus of new administration job creation and repatriation of profits
2017 Tech focus of new administration job creation and repatriation of profits
Job creation for American workers, international trade barriers, U.S. trade and access to the Chinese market, lower taxes, repatriation of profits held overseas, improving U.S. physical and digital infrastructure, cybersecurity, protecting intellectual property rights, government software, technology in education, improved vocational training, reducing government bureaucracy and greater accountability in the government procurement process.
The repatriation of profits has been a hot-button issue, with U.S. tech companies unwilling to bring back profits held overseas because they would have to pay U.S. taxes. New administration signaled some sympathy for corporations by describing the taxes as "prohibitive."
- more info
Mobility and computing recent articles
Mobility computing articles that are must reads
- more info
- Mobile Computing Top 10 trends for CIOs (11.1) Mobile computing should be the focus of CIOs Every organization needs to identify and develop mobile computing security policies to be deployed which will provide...
- Mobile data traffic is poised to explode (9.8) Janco Associates predicts a tidal wave and explosion of mobile data traffic. There will be more mobile users, nearly 5 billion by 2018 (up from...
- Mobile device FCC regulations for 2015 help the mobile user (8.7) Mobile Device FCC regulations for 2015 help the user Mobile Device Access and Use Policy Mobile device policy including the latest tables and smartphones and...
- World Class Organizations mobility a standard feature in IT applications (8.5) World Class Organizations mobility a standard feature in IT applications World Class Organizations mobility CIOs are incorporating mobility into their IT applications and business...
- Top 10 Wearable Issues (7.4) Top 10 Wearable Issues Top 10 Wearable Issues Over 33% of all organizations surveyed by Janco have revealed they have more than 5,000 connected devices. Add...
Staffing Issues CIO Need to be Aware of
Staffing Issues the CIO Needs to be Aware of
Overseeing staffing, a hat that many CIOs wear, may mean having to make crucial decisions about hiring and policy, performance management and discipline, and employee terminations.
Five employment law issues should be on the radar of CIOs who oversee the staffing function.
- State and Local Wage and Hour Laws - Laws governing hours of work and payment of wages are a leading source of employee claims.
- Federal, State, and Local Leave Laws - Similarly, different states and cities may have medical leave and paid sick-time laws that differ significantly from what CIOs are familiar with under federal law or the law in the the company's headquarters state.
- Independent Contractors - Claims by individual contractors alleging that they were misclassified and should have been treated as employees are now very common.
- Separation Agreements - Using a one-size-fits-all separation agreement may result in paying an employee severance pay and not getting an enforceable release of all legal claims in return.
- Using Contracts to Protect Business Info and Customer Relationships - CIOs of growth companies may need to be responsible for evaluating whether the company is taking the steps to ensure that, if necessary, restrictive employee contracts will be enforced by courts to the greatest possible extent.
Is your enterprise prepared for Brexit?
Is your enterprise prepared for Brexit?
- It will take at least two years for the UK to disentangle from the EU. How will this period of uncertainty affect our company? Compliance? Security?
- How much business do we conduct with Europe?
- Would a less regulation hurt us?
- Would a delay in a new compliance rules with Europe hurt us?
- Freedom of movement within the EU is already changing. What further outcomes could UK departure cause both for EU citizens who want to work here and UK citizens who work in Europe? Mobility issues?
- Will there be any potential staffing problems?
- Will Brexit have any impact on our suppliers and our supply chain?
- If EU regulations no longer apply where might the UK government impose new regulations?
- Could the swift decline in the value of the pound hurt us?
Will EU privacy requirements kill US based cloud processing
Will EU privacy requirements kill US based cloud processing
EUs new privacy regulations require that data remain in the EU. That means that companies must build on-premises applications in Europe to house this information. Costs are high include on-premises servers, in annual licensing fees, payroll and human resources systems, and additional head count, not to mention ongoing training and support expenses. and human resources systems, and additional head count, not to mention ongoing training and support expenses.more info
Password Security Tip
Use a password in only one place. Reusing passwords or using the same password all over the place is like carrying one key that unlocks your house, your car, your office, your briefcase, and your safety deposit box. If you reuse passwords for more than one computer, account, website, or other secure system, keep in mind that all of those computers, accounts, websites and secure systems will be only as secure as the least secure system on which you have used that password. Don't enter your password on untrusted systems. One lost key could let a thief unlock all the doors. Remember: Change your passwords on a schedule to keep them fresh.more info
Top 10 Cloud postings
- 10 reasons to move Disaster Recovery to the Cloud (15.4) Top 10 reasons why the cloud makes sense for disaster recovery planning Cloud data disaster recovery protection solutions offer a combination of the latest advancements...
- Top 10 Reasons Cloud Solutions are Expanding (12.5) Top 10 Reasons Cloud Computing is Exploding As CIOs and businesses move organizations towards cloud solutions and processing there are many benefits. The top 10...
- Top 10 Best Practices Cloud Security Defined (12.5) Top 10 Best Practices Cloud Security Defined Top 10 Best Practices Cloud Security Defined The need to lower cost, increase efficiency and conserve cash...
- Top 10 Reasons Cloud Fails (11.6) Top 10 reasons Cloud fails Applications are moving to the cloud and CIOs are striving to make the cloud they use as private and secure...
- 10 Backup Best Practices supplementing a disaster recovery and business continuity solution with the cloud (10.8) 10 Backup best practices supplementing a disaster recovery and business continuity back-up solution with the cloud Backup best practices are used by many CIOs...