Sensitive Information Policy
Updated to meet the latest mandated standards Including GDPR
comes in MS WORD, PDF, and ePub formats
Electronic Sensitive Information Policy Compliance Agreement Form Included for Easy Deployment of Policy
Includes User Bill of Rights for Sensitive Data and Privacy and
Definition of US Government Security Classification System
With identify theft and cyberattacks on the rise, you're facing new pressures to protect sensitive information. In fact, in 46 states have passed data security laws that apply to companies that do business with residents of those states. These laws are designed to protect residents against identity theft by mandating security practices
- Implementing an information security program
- Encrypting data
- Notifying customers in the event of a security breach that compromises unencrypted personal information
To protect sensitive information, many states are now required to implement security programs that include capabilities for incident monitoring and alerting, trend reporting, logging, security information management (SIM), and other prudent security controls and practices.
The Massachusetts and California mandated requirements were specifically included as part of the policy.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) , co-location providers, and facilities regardless of the methods used to store and retrieve sensitive information (e.g. on-line processing, outsourced to a third party, Internet, Intranet or swipe terminals).
The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. (see also Nationalized ID)
The policy contains text that can be used immediately. For example::
You can download the Table of Contents and some sample pages by clicking on the link below.
General Policy Statement
The Chief Security Officer or delegate must approve all processing activities at ENTERPRISE associated with sensitive information. This information includes but is not limited to social security numbers, credit card numbers, credit card expiration dates, security codes, passwords, customer names, customer numbers, ENTERPRISE proprietary data, and any other data (i.e. California Personal ID number) that is deemed to be confidential by ENTERPRISE, its external auditors, any governmental agency, or other body that has jurisdiction over ENTERPRISE or its industry.
This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. on-line processing, outsourced to a third party, Internet, Intranet or swipe terminals).
All processing, storage and retrieval activities for sensitive information must maintain the strict access control standards and the Chief Security Officer mandates the these specific polices be followed.