Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator Senate Bill 583 Implementation.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
DOCUMENTATION Missouri Medicaid Audit and Compliance Provider Certification Review Materials.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
Electronic Official Personnel Folder (e-OPF) for Federal Employees 2014.
Audits: How to Prepare and What to Expect Council of Senior Business Administrators Focus Session April 21, 2004 James Laird Assistant Dean for Finance.
Security Controls – What Works
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Data Exchange Standards in support of transaction processes 08 November 2004 Bonn, Germany Peggy Quarles Perrin Quarles Associates, Inc.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Data Access and Data Sharing KDE Employee Training Data Security Video Series 2 of 3 October 2014.
Learning Objectives Discuss measures to address: –Physical Security –Technical Security –Administrative Security.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Florida Information Protection Act of 2014 (FIPA).
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
NESTOA September 20, 2011 Safeguards Program Briefing.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Craig D. Azoff, Director Administrative Information Systems Bill Luecken, Senior Director Information Systems Eric Steinhardt, Security Manager 13 th.
Note1 (Admi1) Overview of administering security.
Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Working with HIT Systems
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
HIPAA Health Insurance Portability and Accountability Act of 1996.
® HHM Clean Desk Policy. 2 ® Clean Desk Policy : What Will You Learn Importance of Privacy and Security The kinds of information we protect Privacy Requirements.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Legal Holds Department of State Division of Records Management Kevin Callaghan, Director.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Prepared by The Office of the Registrar Youngstown State University February, 2009.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
THIS TRAINING IS REQUIRED IN ORDER TO OBTAIN SECURITY TO INITIATE HIRING PACKETS FOR NEW EMPLOYEES. Hire Xpress User’s Training NAU’s Automated Hiring.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.
Protection of Minors Program Coordinators Information Session November 2015 Carolyn Brownawell Melisa Giraldo Dietrich Warner.
HR SECURITY  EGBERT PESHA  ALLOCIOUS RUZIWA  AUTHER MAKUVAZA  SAKARIA IINOLOMBO
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
HIPAA Privacy Rule Training
Protection of Minors Program Coordinators Refresher Session
Payment Card Industry (PCI) Rules and Standards
BEST PRACTICE ON GOOD RECORDS KEEPING
PRIVACY TRAINING For CAILBA members
HIPAA Basic Training for Privacy and Information Security
Security Awareness Training: System Owners
General Counsel and Chief Privacy Officer
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
CompTIA Security+ Study Guide (SY0-401)
Health Care: Privacy in a Digital Age
Contents subject to change.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator Senate Bill 583 Implementation

2 PERS SB 583 Program Components Incident Response Plan Incident Response Plan Eliminate Sending Personal Information Eliminate Sending Personal Information Information Security Program Information Security Program Issues Issues

3 HQ 72nd SDC VPN BHS Mercer Iron Mtn CitiStreet Salem PERS Rev-Q VPN FTP/VPN FTP Manual Saber VPN Internet VPN Manual D.O.R. Treasury Employers VPN Health Care Insurance Carriers Medical Advisors PERS Business Network

4 Two Incident Response Teams Two Incident Response Teams –Executive team makes policy and response decisions. –Security Breach Response Team (SBRT) works under the direction of the Executive team and provides coordination, analysis, procedures and actions associated with suspected breaches. Other Sections of Agency Get Involved as Needed Other Sections of Agency Get Involved as Needed Incident Response Plan Notification Best Practices Checklist Greatly Assisted in Developing This Plan

5 Incident Response Plan

6 Inventoried All System Generated Correspondence Inventoried All System Generated Correspondence Completed/Nearly Completed Completed/Nearly Completed –Remove SSN Completely Where Possible –Use Last 4 Digits Where Needed –Move to PERS ID in the Long Term Relaxed Procedural Requirements that Lead to Returned Documents in the First Place Relaxed Procedural Requirements that Lead to Returned Documents in the First Place Move to Redacting SSN and Personal Information on Member Records Requests Move to Redacting SSN and Personal Information on Member Records Requests Move to Secure FTP and VPN Instead of Tapes/Disks Move to Secure FTP and VPN Instead of Tapes/Disks Eliminate Sending/Transporting Personal Information Personal Information

7 Information Security Program Information Security Message Begins at the Top Information Security Message Begins at the Top Information Security is Everyone’s Job Information Security is Everyone’s Job Information Security Board Formed Information Security Board Formed Security Awareness Training Security Awareness Training –HR and ISD Leads the Training Effort – Division Administrators Ensure Compliance

8 Information Security Program Policies and Procedures Policies and Procedures –Review and Update Data Classification Data Classification Data/Document Labeling and Handling Data/Document Labeling and Handling ‘Clean Desk’ Provisions ‘Clean Desk’ Provisions Consultant/Contractor Compliance Consultant/Contractor Compliance

9 Physical Security Physical Security –Key Card Access to All Work Areas and Sensitive Information –Limited Access to Records Management Area –Monthly Review of Access System Information Security Program

10 Data Files Data Files –Network File Structure and Access –Data in Transport (Tapes, Disks, etc.) Encrypt Encrypt Password Protect Password Protect Log Movements (senders and receivers) Log Movements (senders and receivers) –Electronic Transfer (SFTP, VPN, EDX, ) Encryption Encryption –Developer Environments Encrypted, Scrambled, Fictitious Data Encrypted, Scrambled, Fictitious Data Information Security Program

11 Backup Tapes Backup Tapes –Encrypt –Log movements Information Security Program

12 Information Security Program System Generated Reports System Generated Reports –Remove SSN Where Possible –Limit Internal Distribution to Those Who ‘Need to Know’ –Track Reports When Printed When Printed When Delivered (internally) When Delivered (internally)

13 Public Records Requests Public Records Requests –Redaction policy & procedure Information Security Program

14 Applications Applications –Remove SSN From Screens –Implement Role Based Access Control (RBAC) –Replace SSN as Account Identifier –ORION is Being Developed to Comply –RIMS will be retired Q4/2009 Information Security Program

15 Internal Audit Internal Audit –Provides Periodic Assessments of Agency Compliance to Information Security Program Information Security Program

16 ISSUES 3 rd party vendors out-of-state 3 rd party vendors out-of-state –Vendor Certifications Required? Members Sending Original Documents Members Sending Original Documents Public Records Requests Public Records Requests Member Records Requests Member Records Requests Movement of Personnel Files Movement of Personnel Files Employer Data Exchange (SSN vs Another Identifier) Employer Data Exchange (SSN vs Another Identifier)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.