PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.

Slides:

Advertisements

Similar presentations

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Overview of the Privacy Act

Office of Health, Safety and Security

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

Information Security Information Security for Research Thursday October 14 th 2010.

Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.

Data Ownership Responsibilities & Procedures

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

Office of Research Oversight. Working Group Report Slide 2.

Data Classification & Privacy Inventory Workshop

Developing a Records & Information Retention & Disposition Program:

Department of Commerce Records Management Training.

Complying With The Federal Information Security Act (FISMA)

VA OI&T Field Security Service Seal of the U.S. Department of Veterans Affairs Office of Information and Technology Office of Information Security.

Allows FBI to request (from FISA court judges) access to certain business records, including Common carriers (airlines, bus companies, and others in the.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.

PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.

FERPA at The Catholic University of America Presented by Laura Jacobs Anderson Associate Registrar Office of Enrollment Services.

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Module #2: What Sensitive Data is and how to handle it Module 2 is approximately 3min and 30 sec.

HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.

1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

INFORMATION TECHNOLOGY SERVICES Privacy 101 Information Security and Privacy Office.

Keeping you Running Part II Developing Your Own Local Government Cyber Security Plans Stan France & Mary Ball

ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.

Privacy and Information Management ICT Guidelines.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Murphy’s Law If anything can go wrong, it will.. 2 Data Security and Confidentiality “… a firm belief in Murphy’s Law and in the necessity to try and.

National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.

FAMIS CONFERENCE Mari M. Presley, Assistant General Counsel Florida Department of Education June 12, 2012.

Panel Discussion on Identity Theft and PII Facilitated by Barry West, CIO Department of Commerce –Panelists: Kenneth Mortensen, DOJ Marc Groman, FTC Hillary.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Privacy Act United States Army (Managerial Training)

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

Sharing Information (FERPA) FY07 REMS Initial Grantee Meeting December 5, 2007, San Diego, CA U.S. Department of Education, Office of Safe and Drug-Free.

FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)

Privacy and Personal Information. WHAT YOU WILL LEARN: What personal information is. General guidelines for the collection of personal information. Your.

OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.

The Medical College of Georgia HIPAA Privacy Rule Orientation.

Protection of Personal Information Act An Analysis on the impact.

TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,

POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.

Information Security and Privacy Office

UW-Madison Guidelines for Managing the Records of Departing Employees*

Privacy and Security Basics for Falls Evidence Based Programs Data Collection . October 2016.

Privacy and Security Basics for CDSME Data Collection

Office of Health, Safety and Security

Information Security Seminar

FOIA, Privacy & Records Management Conference 2009

Red Flags Rule An Introduction County College of Morris

 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:

HQ Expectations of DOE Site IRBs

PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS

Presentation transcript:

PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy

PUBLIC LAW  Department of Veterans Affairs Information Security Enhancement Act of 2006  December 22, 2006  Introduced the term VA sensitive information

VA SENSITIVE INFORMATION All Department Information and/or data on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. -From PL Included in VA Directive and Handbook 6500, Information Security Program

SENSITIVE PERSONAL INFORMATION The term, with respect to an individual, means any information about the individual maintained by an agency, including the following: (i) education, financial transactions, medical history, and criminal or employment history; (ii) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. -From PL Included in VA Directive and Handbook 6500, Information Security Program

CATEGORIZATION OF SENSITIVE DATA  VA Sensitive Information includes: –Sensitive Personal Information –Regulatory/Program Specific Information  Sensitive Personal Information includes: –Individually Identifiable Information –Individually Identifiable Health Information –Protected Health Information –Privacy-Protected Information

OTHER CATEGORIES OF VA INFORMATION Categories of non-sensitive VA information:  Administratively Confidential Information – Information that is used in the daily operation of the VA. This is information that is intended for use by employees when conducting VA business.  Public Information - Information is categorized as Public if the information has been made available or could be made public pursuant to a FOIA request for public distribution through authorized VA channels. Public information is not sensitive in context or content, and requires no special security. -From VA Handbook 6500

INFORMATION OWNER Information owner means an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. -From PL Included in VA Directive and Handbook 6500, Information Security Program

SECURITY REQUIREMENTS FOR VA SENSITIVE INFORMATION VA Handbook 6500 and its Appendix D include:  Specific requirements for VA sensitive information  Issues such as: Encryption, Physical Security, Media Sanitization, Incident Reporting, Permission to Take Off-Site, Mobile Devices, Clear Desk,  Requirements for all VA devices due to the risk of breach of VA sensitive information  For example: In order to ensure the protection of sensitive information, all removable storage devices that connect to VA’s resources via USB ports (i.e. thumb drives, MP3 Players – iPods, Zunes, and external hard drives) must be encrypted with FIPS certified encryption. Similarly storage media such as CDs/DVDs that contain VA sensitive information must be adequately protected with FIPS certified encryption.

SECURITY BASELINES From VA Handbook 6500 (p. 26) The impact level of sensitive information is high. From DRAFT VA Handbook 6500 FIPS 199 and VA require System Owners (in coordination with information data owners and the ISO) to categorize their information systems as low-, moderate-, or high-impact. Once the overall impact level of the information system is determined, an initial set of security controls can be selected from the minimum controls recommended by NIST for LOW, MODERATE, or HIGH baselines.

Melissa Short (540) Information Protection Portal: