Sensitive Information Policy

Updated to meet the latest mandated standards
Includes a definition of what sensitive information is

Electronic Sensitive Information Policy Compliance Agreement Form Included for Easy Depolyment of Policy

Includes User Bill of Rights for Sensitive Data and Privacy

Sensitive Information Policy - PrivacyWith identify theft and cyber attacks on the rise, you're facing new pressures to protect sensitive information. In fact, in 46 states have now passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
such as:

  • Implementing an information security program
  • Encrypting data
  • Notifying customers in the event of a security breach that compromises unencrypted personal information

To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.

Order Sensitive Information Policy Download Selected Pages Version History

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data. The template is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA. The electronic word form that is provided can be delivered electronically, completed via computer, and filed electronically. The PCI Audit Program that is included is an additional 50 plus pages in length.

The Massachusetts and California mandated requirements were specifically included as part of the policy.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. (see also Nationalized ID)

You can download the Table of Contents and some sample pages by clicking on the link below.

The policy contains text that can be used immediately. For example::

General Policy Statement

The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.

Order Sensitive Information Policy Download Selected Pages Version History