Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.

Published byLoreen Joanna Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy."— Presentation transcript:

1 PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy

2 PUBLIC LAW 109-461  Department of Veterans Affairs Information Security Enhancement Act of 2006  December 22, 2006  Introduced the term VA sensitive information

3 VA SENSITIVE INFORMATION All Department Information and/or data on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. -From PL 109-461 -Included in VA Directive and Handbook 6500, Information Security Program

4 SENSITIVE PERSONAL INFORMATION The term, with respect to an individual, means any information about the individual maintained by an agency, including the following: (i) education, financial transactions, medical history, and criminal or employment history; (ii) information that can be used to distinguish or trace the individual’s identity, including name, social security number, date and place of birth, mother’s maiden name, or biometric records. -From PL 109-461 -Included in VA Directive and Handbook 6500, Information Security Program

5 CATEGORIZATION OF SENSITIVE DATA  VA Sensitive Information includes: –Sensitive Personal Information –Regulatory/Program Specific Information  Sensitive Personal Information includes: –Individually Identifiable Information –Individually Identifiable Health Information –Protected Health Information –Privacy-Protected Information

6 OTHER CATEGORIES OF VA INFORMATION Categories of non-sensitive VA information:  Administratively Confidential Information – Information that is used in the daily operation of the VA. This is information that is intended for use by employees when conducting VA business.  Public Information - Information is categorized as Public if the information has been made available or could be made public pursuant to a FOIA request for public distribution through authorized VA channels. Public information is not sensitive in context or content, and requires no special security. -From VA Handbook 6500

7 INFORMATION OWNER Information owner means an agency official with statutory or operational authority for specified information and responsibility for establishing the controls for its generation, collection, processing, dissemination, and disposal. -From PL 109-461 -Included in VA Directive and Handbook 6500, Information Security Program

8 SECURITY REQUIREMENTS FOR VA SENSITIVE INFORMATION VA Handbook 6500 and its Appendix D include:  Specific requirements for VA sensitive information  Issues such as: Encryption, Physical Security, Media Sanitization, Incident Reporting, Permission to Take Off-Site, Mobile Devices, Clear Desk, E-mail  Requirements for all VA devices due to the risk of breach of VA sensitive information  For example: In order to ensure the protection of sensitive information, all removable storage devices that connect to VA’s resources via USB ports (i.e. thumb drives, MP3 Players – iPods, Zunes, and external hard drives) must be encrypted with FIPS 140-2 certified encryption. Similarly storage media such as CDs/DVDs that contain VA sensitive information must be adequately protected with FIPS 140-2 certified encryption.

9 SECURITY BASELINES From VA Handbook 6500 (p. 26) The impact level of sensitive information is high. From DRAFT VA Handbook 6500 FIPS 199 and VA require System Owners (in coordination with information data owners and the ISO) to categorize their information systems as low-, moderate-, or high-impact. Once the overall impact level of the information system is determined, an initial set of security controls can be selected from the minimum controls recommended by NIST for LOW, MODERATE, or HIGH baselines.

10 Melissa Short (540) 597-1762 Melissa.Short@va.gov Information Protection Portal: https://vaww.infoprotection.va.gov/

Download ppt "PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy."

Similar presentations

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Overview of the Privacy Act

Overview of the Privacy Act
Office of Health, Safety and Security

Office of Health, Safety and Security
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Information Security Information Security for Research Thursday October 14 th 2010.

Information Security Information Security for Research Thursday October 14 th 2010.
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.

Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Office of Research Oversight. Working Group Report Slide 2.

Office of Research Oversight. Working Group Report Slide 2.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:

Similar presentations

Ads by Google