Hipaa 2014

HIPAA
Security Awareness and

Workforce Training Program
HIPAA Security Awareness Training Program | 2013

HIPAA Security Awareness Training Program | 2013 1
HIPAA Security Awareness
and Workforce Training Program Manual
Table of Contents
The Importance of Security Awareness Training 7 HIPAA Security | 164.312 Technical Safeguards 29
Data Security Breaches 8 HIPAA Security | Policies and Procedures 30
What is InformaDon Security? 10 HIPAA NoDficaDon of Breaches | As Amended by the Final Omnibus
Roles and ResponsibiliDes 11 Ruling | January, 2013 31
InformaDon Security SoluDons 16 HIPAA Privacy Rules 33
Defense-‐in-‐Depth 17 HIPAA Privacy | 164.500 -‐ 164.534 35
Layered Security 18 HIPAA Privacy | General Principles for Uses and Disclosures 37
Cyber Security 19 HIPAA Privacy | PermiUed Uses and Disclosures 38
Cloud CompuDng 20 HIPAA Privacy | Authorized Uses and Disclosures 41
HIPAA | IntroducDon 22 HIPAA Privacy | Individual Rights 42
HITECH | IntroducDon 24 HIPAA Privacy | AdministraDve Requirements 43
HIPAA Security Awareness Training Requirements 26 HIPAA Privacy | General Safeguards and Best PracDces 45
HIPAA Security Rule 26 Covered EnDDes 46
HIPAA Security | 164.308 AdministraDve Safeguards 27 Business Associates 47
HIPAA Security | 164.310 Physical Safeguards 28 Final Omnibus Ruling (January, 2013) 49


HIPAA Security Awareness
and Workforce Training Program Manual
Table of Contents (continued)

Helpful HIPAA Resources 51 Incident Response 74
FERPA 52 Personally IdenDfiable InformaDon (PII) 75
FACTA 52 Protected Health InformaDon (PHI) | HIPAA 78
Red Flags Rules 53 ProtecDng InformaDon (Hard-‐Copy) 79
PCI DSS 54 ProtecDng InformaDon (Electronic Format) 81
GLBA 55 Data RetenDon 84
Other RegulaDons 57 IdenDty The` 86
Security Awareness Topics 58 Online Security and Mobile CompuDng 88
Account Security and Access Rights 59 Shopping Online 91
Malware 60 Securing Your Home Network 93
Security Updates 61 ProtecDng your Children Online 96
Clean Desk Policy 62 Security Tips for Travelling 99
WorkstaDon Security 63 Other Important Security Awareness ConsideraDons and Top Internet
Laptop Security 66 Scams 102
So`ware Licensing and Usage 68 If you see something, say something – Immediately 111
Internal Threats 70 Top 20 Security ConsideraDons for I.T. Personnel 112
Physical Security and Environmental Security 72 Security Awareness Resources 123


Overview
Compliance with the Security, Privacy, breach noDficaDons, and other important measures of the Health
Insurance Portability and Accountability Act -‐ commonly known as HIPAA -‐ requires organizaDons to gain a
strong understanding of various provisions within HIPAA and HITECH, along with becoming knowledgeable in
regards to informaDon security. This is best conducted by implemenDng a security awareness training
program for all employees and other related third-‐party users for purposes of beUer understanding
informaDon security as a whole, and its applicability to HIPAA compliance. The use of informaDon technology
is extremely widespread in today's society, ushering in unprecedented levels of cost-‐effecDveness and
efficiency. Yet with great benefits also come great challenges, parDcularly when it comes to ensuring the
confidenDality, integrity, and availability (CIA) of criDcal system components storing, processing and/or
transferring sensiDve and confidenDal informaDon, such as Personally IdenDfiable InformaDon (PII), and other
important assets. It's imperaDve that all employees within your organizaDon and other in-‐scope users have a
strong understanding of informaDon security, such as being aware of dangers and challenges, while also being
responsive in helping combat such threats and challenges with appropriate measures.

Security awareness is about effecDvely designing, developing, implemenDng, and maintaining an enterprise-‐
wide program for which all employees can benefit from, one that implements the core components of
Awareness, Training, and EducaDon. Specifically, "Awareness" in that numerous measures are iniDated and
implemented for keeping all employees knowledgeable regarding threats, responses and soluDons to security
issues affecDng an organizaDon. "Training" in that material is researched, developed and subsequently uDlized
for educaDng employees on all aspects of security awareness. And lastly, "EducaDon, in that adequate
measures are undertaken for ensuring conDnuing educaDon on security awareness is provided to all
employees on a rouDne basis – whatever that may be – quarterly, annually, etc. It must be stressed that
security awareness training is dynamic in nature, changing as needed to meet the growing threats facing
today’s organizaDons.
The subsequent documentaDon found herein is your organizaDon's formal security awareness training
program covering both general, best-‐of-‐breed pracDces for informaDon security, along with specific
measures relaDng to the safety and security of any PII, ePHI data -‐ or any subset thereof -‐ being stored,
processed, and transmiUed. Users are required to read the enDre document annually, keep an electronic
or hard-‐copy form readily available for referencing, along with signing and returning the
acknowledgement form on the last page to authorized personnel at your organizaDon. You’ll hear the
following phrase repeated a number of Dmes throughout this document -‐ “if you see something, say
something”, which is the Department of Homeland Security's (DHS) moUo for reporDng suspicious acDvity
– a moUo that you should strive to adhere to at all Dmes.

Goals

There are many challenges when it comes to HIPAA security awareness training for today's organizaDons,
such as Dme constraints, lack of interest by end-‐users, breaking from tradiDonal pracDces, along with
numerous other issues. As such, the security awareness training program seeks to successfully achieve
the following goals:
•  Provide a comprehensive, yet easy-‐to-‐understand and engaging training program.
•  Offer in-‐depth educaDonal resources regarding many of today's most criDcally important HIPAA related security
issues.
•  Deliver a clear and concise messages as to the what security awareness is, why it's important, what it entails, and
many other applicable issues.
•  Enhance end-‐user skills, knowledge and overall awareness regarding informaDon security.
•  Encourage best pracDces for informaDon security, while also fundamentally changing the way employees regard
the need for security awareness provisions.
•  Finally, making security awareness a true part of the organizaDon's fabric, one that requires a commitment by ell
employees for ulDmately helping ensure the safety and security of your organizaDon's criDcal system components.

As stated earlier, HIPAA security awareness training for your organizaDon encompasses measures relaDng to best-‐of-‐breed
pracDces for informaDon security, while also ensuring the safety and security of any PII, ePHI data -‐ or any subset thereof -‐ being
stored, processed, and/or transmiUed, along with other sensiDve informaDon. Moreover, the HIPAA security awareness training
program is suitable for all employees, including senior management, I.T. personnel, along with all other end-‐users of your
organizaDon's system components. Topics covered within your organizaDon’s security awareness training program include the
following: •  FERPA
•  The Importance of Security Awareness Training •  FACTA
•  Data Security Breaches •  Red Flags Rule
•  What is InformaDon Security? •  PCI DSS
•  Roles and ResponsibiliDes •  GLBA
•  InformaDon Security SoluDons •  Other RegulaDons
•  Defense-‐in-‐Depth •  Security Awareness Topics
•  Layered Security •  Account Security and Access Rights
•  Cyber Security •  Malware
•  Cloud CompuDng •  Security Updates
•  HIPAA | IntroducDon •  Clean Desk Policy
•  HITECH | IntroducDon •  WorkstaDon Security
•  HIPAA Security Awareness Training Requirements •  Laptop Security
•  HIPAA Security Rule •  Sobware Licensing and Usage
•  HIPAA Security | 164.308 AdministraDve Safeguards •  Internal Threats
•  HIPAA Security | 164.310 Physical Safeguards •  Physical Security and Environmental Security
•  HIPAA Security | 164.312 Technical Safeguards •  Incident Response
•  HIPAA Security | Policies and Procedures •  Personally IdenDfiable InformaDon (PII)
•  HIPAA NoDficaDon of Breaches | As Amended by the Final •  ProtecDng InformaDon (Hard-‐Copy)
Omnibus Ruling | January, 2013 •  ProtecDng InformaDon (Electronic Format)
•  HIPAA Privacy Rule •  Data RetenDon
•  HIPAA Privacy | 164.500 -‐ 164.534 •  IdenDty Theb
•  HIPAA Privacy | General Principles for Uses and Disclosures •  Online Security and Mobile CompuDng
•  HIPAA Privacy | Permi_ed Uses and Disclosures •  Shopping Online
•  HIPAA Privacy | Authorized Uses and Disclosures •  Securing Your Home Network
•  HIPAA Privacy | Individual Rights •  ProtecDng your Children Online
•  HIPAA Privacy | AdministraDve Requirements •  Security Tips for Travelling
•  HIPAA Privacy | General Safeguards and Best PracDces •  Other Important Security Awareness ConsideraDons and Top Internet Scams
•  Covered EnDDes •  If you see something, say something -‐ Immediately
•  Business Associates •  Top 20 Security ConsideraDons for I.T. Personnel
•  Final Omnibus Ruling (January, 2013) •  Security Awareness Resources
•  Helpful HIPAA Resources
The Importance of Security Awareness Training

Advances in technology allow us to funcDon at unprecedented levels of efficiency that seemed unimaginable just a
few decades ago. CompuDng systems are now smaller, faster -‐ and cheaper -‐ than ever before, allowing both
businesses and individuals alike to conduct almost any type of process at a flip-‐of-‐the-‐switch or click-‐of-‐the-‐mouse,
with liUle to no effort at all. Yet with all the benefits received by the luxuries of informaDon technology, security
issues loom very large. It seems that with each passing day another story makes headlines due to a notable data
breach whereby untold numbers of credit cards and/or Personally IdenDfiable InformaDon (PII) were stolen or
compromised. Unfortunately, as we conDnue to rely on informaDon systems for storing, processing, and/or
transmiqng sensiDve and confidenDal informaDon, data security breaches will become more common, resulDng in
significant costs for everyone in society.

Just consider some of the following largest data breaches in history that have occurred in recent years, which have
resulted in hundreds of millions of comprised consumer accounts, ranging from credit card informaDon, medical
records, social security numbers, and many other forms of PII. It's absolutely staggering and it's why security
awareness training is now more important than ever for helping ensure the safety and security of system
components. AddiDonally, crime staDsDcs for idenDty the` and other forms of electronic fraud and abuse conDnue
to rise, with no end in sight. It's Dme organizaDons became very serious about informaDon security awareness
training, and it starts today with your organizaDon's comprehensive security awareness training program -‐ a detailed
document put forth by industry leading security experts in the field of informaDon security and health care regulatory
compliance.

Data Security Breaches

As for data security breaches, it’s technically defined as the intenDonal or unintenDonal release of secure informaDon
into an untrusted environment. Simply stated, it’s about leqng highly sensiDve and confidenDal informaDon fall into
the wrong hands -‐ and unfortunately -‐ it happens every day, causing enormous problems and challenges for
organizaDons. Many of the most well-‐known data security breaches are a direct result of carelessness by individuals
along with failing to update criDcal security measures. From using anDquated encrypDon techniques to leaving laptops
in hotels, stories abound of such simple, yet highly costly mistakes made by individuals. As for the results, they can be
catastrophic in many ways, many Dmes puqng such severe financial and public relaDons burdens on companies that
they never fully recover. Numerous laws, regulaDons, and industry specific mandates require organizaDons to not only
put in place comprehensive measures for miDgaDng data security breaches, but also requirements for noDfying
individuals of such breaches.

These are costly and expensive measures, something a company never wants to encounter -‐ all the more reason for
employees to have a sound understanding of criDcal security awareness topics for helping to protect the safety and
security of criDcal organizaDonal-‐wide system components. From using simple and easy-‐to-‐guess passwords to leaving
hard-‐copy records in public areas, data breaches can and do happen. As an employee of your organizaDon, you’ll
ulDmately come across informaDon deemed highly sensiDve and confidenDal, so remember to ask yourself some basic
quesDons, such as “Do I have the right to access this informaDon, is the informaDon being stored securely from
unauthorized parDes”, and many other basic security quesDons.

Data Security Breaches

It’s also important to note the different types of data security breaches, which -‐ according to privacyrights.org -‐
generally consist of the following:

•  Unintended disclosure -‐ SensiDve informaDon posted publicly on a website, mishandled or sent to the wrong
party via email or any other type of end-‐user messaging technology.
•  Hacking or malware -‐ Electronic entry by an outside party, malware and spyware.
•  Payment Card Fraud -‐ Fraud involving debit and credit cards that is not accomplished via hacking. For
example, skimming devices at point-‐of-‐service terminals.
•  Insider -‐ Someone with legiDmate access intenDonally breaches informaDon -‐ such as an employee or
contractor.
•  Physical loss -‐ Lost, discarded or stolen non-‐electronic records, such as paper documents
•  Portable device -‐ Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard
drive, data tape, etc.
•  StaDonary device -‐ Lost, discarded or stolen staDonary electronic device such as a computer or server not
designed for mobility.
•  Unknown -‐ Anything outside of the above listed categories.
Our reliance on informaDon technology -‐ though plenDful with benefits -‐ also brings large risks and even larger
responsibiliDes by employees for being aware of any perceived or actual instances of intenDonal or
unintenDonal release of secure informaDon into an untrusted environment. Data security breaches are costly,
extremely damaging, with long-‐lasDng negaDve effects. Again, if you see something, say something -‐
immediately!

What is Information Security?

No discussion on security awareness training would be considered complete without having a basic and
fundamental understanding of the broader topic of informaDon security. Aèr all, the vast majority of security
awareness training topics are directly related to various components of informaDon security. InformaDon
security is best defined as the following:

Protec'ng informa'on from unauthorized access, use, disclosure, disrup'on, modifica'on, recording or
destruc'on, while ul'mately ensuring the confiden'ality, integrity, and availability (CIA) of an organiza'on's
cri'cal system components.

It's a large and complex field, one that requires highly skilled, well-‐trained, and disciplined individuals for
administering and carrying out daily technology pracDces. AddiDonally, it also requires thoughsul decision
making by all individuals (such as you!) for helping protect and secure an organizaDon's network, especially
sensiDve and confidenDal informaDon. The governing principle within informaDon security is CIA -‐
ConfidenDality, Integrity, and Availability -‐ which means the following:

•  ConfidenDality: PrevenDng the disclosure of informaDon to unauthorized individuals and/or systems.
•  Integrity: Ensuring that informaDon cannot be modified undetectably, such as guarding against improper
informaDon modificaDon or destrucDon.
•  Availability: Ensuring that informaDon is available as needed, which consists of Dmely and reliable access.

Roles and Responsibilities

Curious as to who does what in regards to informaDon security and their roles and responsibiliDes within an
organizaDon? Listed below are general Dtles given to individuals for informaDon technology and informaDon
security, for which you should be familiar with as it helps all employees gain a stronger understanding of who
does what in relaDon to informaDon security for a company. These are considered industry accepted Dtles, but
they may differ slightly from one organizaDon to another, so please be advised. These Dtles are also criDcally
important to note because if security issues arise, you’ll know who to communicate with.

• Chief Technology Officer (CTO) | Chief InformaDon Officer (CIO): ResponsibiliDes include providing overall
direcDon, guidance, leadership and support for the enDre informaDon systems environment, while also assisDng
other applicable personnel in their day-‐to-‐day operaDons. The CTO | CIO is to report to other members of
senior management on a regular basis regarding all aspects of the organizaDon’s informaDon systems posture.

• Director of InformaDon Technology | Senior InformaDon Security Officer: ResponsibiliDes include also
providing overall direcDon, guidance, leadership and support for the enDre informaDon systems environment,
while also assisDng other applicable personnel in their day-‐to-‐day operaDons, along with researching and
developing informaDon security standards for the organizaDon as a whole. This will require extensive
idenDficaDon of industry benchmarks, standards, and frameworks that can be effecDvely uDlized by the
organizaDon for provisioning, hardening, securing, and locking-‐down criDcal system components. Subsequent
to the researching of such standards, the senior security officer is to then oversee the establishment of a series
of baseline configuraDon standards to include, but limited to, the following system components: network
devices, operaDng systems, applicaDons, internally developed so`ware and systems, and other relevant
hardware and so`ware plasorms.


Because baseline configuraDon can and will change, this authorized individual is to also update the applicable
configuraDons, documenDng all modificaDons and enhancements as required. AddiDonal duDes of the Director
of InformaDon Technology | Senior InformaDon Security Officer includes the following:

•  Responsible for all major facets of informaDon technology throughout the organizaDon, such as
management, recommendaDons as necessary
•  Providing leadership, direcDon and guidance for current and exisDng projects
•  Overseeing the development of all applicable operaDonal, business specific, and informaDon security
policies, procedures, forms, checklists, templates, provisioning and hardening documents and other
necessary material.
•  Overseeing iniDaDve for developing internal Requests for Proposals (RFPs), along with answering
RFP's for services from the organizaDon.
•  Assistance in developing annual informaDon technology budget.
•  Displaying integrity, honesty, and independence at all Dmes.
•  SupporDng the Director of InformaDon Technology | Senior InformaDon Security Officer and other
members of senior management as necessary.

•  Network Engineer | Systems Administrator: ResponsibiliDes include actually implemenDng the baseline
configuraDon standards for all in-‐scope system components. This requires obtaining a current and accurate
asset inventory of all such systems, assessing their iniDal posture with the stated baseline, and the
undertaking the necessary configuraDons. Because of the complexiDes and depth oèn involved with such
acDviDes, numerous personnel designated as Network Engineers | System Administrators are oèn involved
in such acDviDes.


Furthermore, these individuals are also responsible for monitoring compliance with the stated baseline
configuraDon standards, reporDng to senior management all instances of non-‐compliance and efforts undertaken to
correct such issues. AddiDonally, due to the fact that these individuals are to undertake the majority of the
operaDonal and technical procedures for the organizaDon, it is criDcal to highlight other relevant duDes, such as the
following:

•  Assessing and analyzing baseline configuraDon standards for ensuring they meet the intent and rigor for
the overall safety and security (both logically and physically) of criDcal system components.
•  Ensuring the asset inventory for all in-‐scope system components is in fact kept current and accurate.
•  Ensuring that network topology documents are also kept current and accurate.
•  FacilitaDng requests for validaDon of baseline configuraDons for purposes of regulatory compliance
assessments and audits – such as those for PCI compliance, SSAE 16 reporDng, HIPAA, FISMA, GLBA, etc.
•  ConDnuous training and cerDficaDon accreditaDon for purposes of maintaining an acceptable level of
informaDon security experDse necessary for configuraDon management.

AddiDonal duDes of Network Engineers | Systems Administrators include the following:

•  Establishing networking environment by designing system configuraDon; direcDng system installaDon; defining,
documenDng, and enforcing system standards.
•  OpDmizing network performance by monitoring performance; troubleshooDng network problems and outages;
scheduling upgrades; collaboraDng with network architects on network opDmizaDon.
•  UpdaDng job knowledge by parDcipaDng in educaDonal opportuniDes; reading professional publicaDons;
maintaining personal networks; parDcipaDng in professional organizaDons.
•  Securing network system by establishing and enforcing policies; defining and monitoring access.
•  ReporDng network operaDonal status by gathering, prioriDzing informaDon; managing projects.

•  Sobware Developers | Coders: ResponsibiliDes include actually developing secure systems by implemenDng
the required baseline configuraDon standards into all systems and so`ware development lifecycle acDviDes.
Coding for security, not funcDonality, is a core theme for which all so`ware developers | coders are to
adhere to. They are to also idenDfy any other necessary baseline configuraDon standards when warranted.
UlDmately, this requires removing, disabling, and not implemenDng insecure services, protocols, or ports
that – while may be conducive for purposes of ease-‐of-‐use – ulDmately compromise the applicable systems
being developed.

AddiDonally, these personnel are also responsible for following a structured project management framework,
one that includes uDlizing a documented SDLC process, complete with well-‐defined change management
policies, processes, and procedures. Moreover, these personnel are to support and coordinate all required
requests for validaDon of the baseline configuraDons within their systems being developed for purposes of
regulatory compliance and/or internal audit assessments.

AddiDonal duDes of Sobware Developers | Coders include the following:

•  Developing so`ware soluDons by studying informaDon needs; conferring with users; studying systems
flow, data usage, and work processes; invesDgaDng problem areas; following the so`ware development
lifecycle.
•  Determining operaDonal feasibility by evaluaDng analysis, problem definiDon, requirements, soluDon
development, and proposed soluDons.
•  EffecDve documentaDon via flowcharts, layouts, diagrams, charts, code comments and clear code.
•  Preparing and installing soluDons by effecDvely designing system specificaDons, standards, and
programming.
•  Improving operaDons by conducDng systems analysis; recommending changes in policies and procedures.
•  Obtaining and licensing so`ware from vendors.

•  Change Management | Change Control Personnel: ResponsibiliDes include reviewing, approving, and/or
denying all changes to criDcal system components and specifically for purposes of any changes to the various
baseline configuraDon standards. While changes are oèn associated with user funcDonality, many Dmes
the issue of vulnerability, patch, and configuraDon management are brought to light with change requests.
In such cases, authorized change management | change control personnel are to extensively analyze and
assess these issues for ensuring the safety and security of organizaDonal-‐wide system components.

•  End Users: ResponsibiliDes include adhering to the organizaDon’s informaDon security policies, procedures,
pracDces, and not undertaking any measure to alter such standards on any such system components.
AddiDonally, end users are to report instances of non-‐compliance to senior authoriDes, specifically those by
other users. End users – while undertaking day-‐to-‐day operaDons – may also noDce issues that could impede
the safety and security of your organizaDon's system components, and are to also report such instance
immediately to senior authoriDes.
• 
•  Vendors, Contractors, Other Third-‐Party EnDDes: ResponsibiliDes for such individuals and organizaDon are
much like those stated for end users: adhering to the organizaDon’s informaDon security policies,
procedures, pracDces, and not undertaking any measure to alter such standards on any such system
components.

Information Security Solutions

As for all the tools, devices, and protocols uDlized for protecDng networks -‐ there's an endless list -‐ but for
purposes of gaining a basic understanding of these appliances, the following list is considered vital when it
comes to informaDon security best pracDces:

•  Network Devices: Firewall, routers, switches, load balancers, intrusion detecDon systems (IDS).
•  Malware SoluDons: anD-‐virus and anD-‐spam so`ware and devices.
•  File Integrity Monitoring (FIM) and change detecDon so`ware, host based intrusion detecDon and intrusion
prevenDon devices.
•  Secure services – those that are operaDng system (O/S) and applicaDon specific to all major operaDng
systems (Windows, UNIX, Linux) and applicaDons (web server applicaDons, database applicaDons, internally
developed applicaDons)
•  Secure protocols, such as SSL, SSH, VPN, etc.
•  Secure ports, such as 443, 22, etc.
•  User access principles, such as Role Based Access Controls (RBAC), etc.
•  Username and password parameters, such as unique user ID’s, password complexity rules, password aging
rules, account lockout thresholds, etc.
•  EncrypDon
•  Event monitoring
•  ConfiguraDon and change monitoring
•  Performance and uDlizaDon monitoring
•  Logging and reporDng
•  Appropriate incident response measures

Defense-in-Depth

Some of the best pracDces to use for ensuring the CIA triad is upheld at all Dmes is Defense-‐in-‐Depth and
Layered security -‐ essenDally uDlizing various resources for helping protect an organizaDon's informaDon
systems landscape. As for Defense-‐in-‐Depth, it was iniDally a military strategy that put forth a “delay rather
than prevent” concept, one that advocated yielding various elements to the enemy for purposes of buying extra
Dme. Over Dme, the NaDonal Security Agency (NSA) adopted Defense-‐in-‐Depth as an informaDon assurance
(IA) concept in which mulDple layers of security are used for protecDng an organizaDon’s informaDon
technology infrastructure. Defense-‐in-‐Depth has since become a highly-‐adopted framework for many
organizaDons around the world for helping ensure the safety and security of criDcal system components. It’s
been praised as a highly effecDve concept, one that employs effecDve countermeasure for thwarDng aUacks on
an enterprise’s informaDon systems environment. Defense-‐in-‐Depth – for purposes of informaDon security –
includes the following layers, which have been loosely adopted and agreed upon by industry leading vendors
and other noted organizaDons:

• Data
• ApplicaDon
• Host
• Internal Network
• Perimeter
• Physical
• Policies, Procedures, Awareness

Layered Security

Layered security, oèn menDoned in the context of Defense-‐in-‐Depth, is a concept whereby mulDple layers of
security iniDaDves are deployed for the purposes of protecDng an organizaDon’s criDcal system components.
Specifically, by uDlizing a number of security tools, protocols, and features, organizaDons can effecDvely put in
place layers of security that – in the aggregate – help ensure the confidenDality, integrity, and availability (CIA)
of systems. It’s important to note that the main emphasis of layered security is about protecDon, ulDmately
making it a subset of Defense-‐in-‐Depth, which casts a much wider net on the broader subject of enterprise-‐wide
informaDon security. Furthermore, layered security seeks to put in place measures that compensate for
possible weaknesses in other tools, but again – in the aggregate – form a comprehensive security strategy.

Remember, layered security is not about informaDon security redundancy – that is, using tools to achieve the
same desired output – such as using an access control card and iris recogniDon to enter a data center (that’s
two forms of the same control – authenDcaDon and authorizaDon). As for layered security iniDaDves, common
examples can include the following:

•  The use of firewalls, intrusion detecDon systems, web applicaDon firewalls, anD-‐virus and anD-‐spam tools,
as they each provide specific measures unique to one another for network security protecDon.
•  Having pan-‐Dlt-‐zoom (PTZ) cameras at a data center, along with comprehensive badge provisioning
procedures, whereby an organizaDon implements the use of access control cards and iris recogniDon at
the actual data center facility.

For purposes of informaDon security, all individuals form a cohesive and vital component of an organizaDon's
overall Defense-‐in-‐Depth plasorm -‐ one that uDlizes mulDples resources for enterprise-‐wide cyber security
protecDon.

Cyber Security

When seeking a technical definiDon or understanding on a topic relaDng to informaDon security, individuals
oèn turn to the likes of NIST and Wikipedia. Such is the case for cyber security, for which NIST briefly describes
as “The ability to protect or defend the use of cyberspace from cyber-‐aUacks (NIST glossary). As for Wikipedia,
they blend cyber security into the broader subject of informaDon technology and informaDon security, failing to
provide – understandably so – a clear definiDon. We all tend to get caught up on technicaliDes, so for purposes
of simplicity, here’s a well-‐craèd definiDon of what cyber security can best be looked upon as:

The various measures -‐ such as the enforcement of policies, and the enactment of necessary processes and
related procedures -‐ for helping ensure the confiden'ality, integrity, and availability (CIA) of informa'on systems
from malicious aEempts in compromising system security that can ul'mately disrupt, disable, destroy, and harm
an organiza'on’s system resources.

Simply stated, it’s about puqng in place measures for protecDng one’s informaDon systems from the ever-‐
growing threats in today’s cyber world we all live in, and there’s a tremendous effort currently underway by
organizaDons all around the world to do just that. Publicly traded companies, local, state, and federal agencies
– and many other enDDes – are hard at work puqng in place measures for ensuring the safety and security of
their enDre informaDon systems landscape. From Defense-‐in-‐Depth, to layered security, along with the
adopDon and implementaDon of a dizzying array of security standards, the topic of cyber security is alive and
well, and you need to know about it!

Cloud Computing

It’s also criDcal that employees have a strong understanding of cloud compuDng, which is an area within
informaDon security that contains an almost endless list of definiDons and explanaDons, ranging from the very
technical (NIST definiDon of cloud compuDng), to the more simpler, and easy-‐to-‐understand definiDon, such as
the one provided by Wikipedia. So what is cloud compuDng? Taking the NIST definiDon and simplifying it, cloud
compuDng is the following:

A model that allows for scalable, convenient, on-‐demand services to a shared pool of distributed compu'ng
resources, for which many models exist. In essence, one’s compu'ng resources live in the “cloud”, instead of a
more tradi'onal model, such as a client-‐server design, etc.

The phrase has garnered much aUenDon and widespread adopDon since the mid 2000’s, but concept isn’t as
new as people would think. As for the various cloud models, vendors and others within the informaDon
technology arena are abuzz with new and catchy names and phrases, but referring back to NIST is generally a
good idea. According to the NIST publicaDon, “The NIST DefiniDon of Cloud CompuDng” (published September,
2011), cloud compuDng itself consists of five (5) core characterisDcs, three (3) service models, and four (4)
deployment models. Download the NIST whitepaper, Dtled “The NIST DefiniDon of Cloud CompuDng”, to learn
more.

What’s also important to note about cloud compuDng is its rapid expansion and widespread adopDon by
companies. More and more organizaDons are either building out cloud compuDng plasorms, offering such
services to clients, while companies themselves are moving away from client-‐server, and tradiDonal compuDng
environments, ulDmately to cloud compuDng. It’s a massive shi`, one that will conDnue into the foreseeable
future as cloud compuDng slowly, but surely, becomes the de facto compuDng environment for most
organizaDons, regardless of sector, industry, or locaDon.

Cloud Computing
But with this huge leap of informaDon technology faith comes numerous requirements, the most important being
that of security. Aèr all, on-‐demand resources, while being touted as efficient, scalable, and cost-‐effecDve –
among other things – have large security concerns. If you’re using cloud compuDng within your organizaDon and
want to learn more, here are some helpful resources:

The Cloud Cloud Wikipedia Overview of

Security Alliance Industry Forum Cloud Computing
h_ps://cloudsecurityalliance.org/ h_p://www.cloudindustryforum.org/ h_p://en.wikipedia.org/wiki/
Cloud_compuDng

HIPAA | Introduction
The Health Insurance Portability and Accountability (HIPAA) is a comprehensive set of healthcare provisions
enacted by the United States Congress and subsequently signed into law by President Bill Clinton in 1996
effecDvely mandaDng broad-‐based legislaDon regarding healthcare access, portability, renewability, along with
security and privacy rules for electronic health records and related informaDon ("protected health informaDon" |
PHI, and subset thereof known as "electronic protected health informaDon | ePHI).

Within Title II of HIPAA, the main emphasis has been that of the "Privacy Rule" and the "Security Rule", two (2)
criDcally important legislaDve mandates that established, for the first Dme, a set of naDonal standards for the
protecDon of certain health informaDon (the "Privacy Rule") along with establishing a naDonal set of security
standards for protecDng certain health informaDon that is held or transferred in electronic form.

Being "compliant" with HIPAA is a broad statement indeed, due in large part to the depth of the HIPAA legislaDon
itself. While Title I and Title II of HIPAA contain numerous, far-‐reaching provisions for many organizaDons in the
health and benefits arena, great emphasis has been in placed on the Privacy Rule and the Security Rule regarding
regulatory compliance due to their applicability to many enDDes. AddiDonally, supporDng legislaDon from subDtle
D of The Health InformaDon Technology for Economic and Clinical Health ACT of 2009 (HITECH) strengthens the
civil and criminal enforcements of the HIPAA Privacy and Security Rules. AddiDonally, it must be noted that for
both the Privacy Rule and Security Rule, along with the mandates within subDtle D of HITECH, organizaDons are
idenDfied as either a "covered enDty" or a "business associate".


HIPAA | Introduction
A "covered enDty" is defined as that of:
•  A health plan.
•  A health care clearinghouse.
•  A health care provider who transmits any health informaDon in electronic form in connecDon with a
transacDon covered by this subchapter [e.g., HIPAA AdministraDve SimplificaDon transacDon standards].

A "business associate" is defined as that of a person or enDty that performs certain funcDons or acDviDes that
involve the use or disclosure of protected health informaDon on behalf of, or provides services to, a covered
enDty. Simply stated, business associate funcDons and acDviDes vary widely and can include claims processing or
administraDon; data analysis, processing or administraDon; uDlizaDon review; quality assurance; billing; benefit
management; pracDce management and data warehousing, just to name a select few. The technical definiDon of a
"business associate" – expanded by the final Omnibus ruling in 2013 – can now include emerging technologies and
businesses, such as data centers, So`ware as a Service (SaaS) enDDes, and managed services providers, just to
name a select few. Visit the Department of Health and Human Services (www.hhs.gov) to learn more about HIPAA
and helpful guidelines on protecDng healthcare informaDon.


HITECH | Introduction
The Health InformaDon Technology for Economic and Clinical Health Act, simply known as the HITECH Act to many,
was officially enacted under Title XIII of the American Recovery and Reinvestment Act of 2009, and is considered a
major piece of health care legislaDon in many ways. Specifically, HITECH advocates the adopDon of electronic
health records (EHR) for creaDng efficiency, transparency, and overall improvements in care. And there are many
provisions within the Act that require much aUenDon by various parDes, parDcularly Subpart D—No'fica'on in the
Case of Breach of Unsecured Protected Health Informa'on. It's a huge goal and a large task indeed, with untold
numbers of organizaDons being affected by the HITECH Act. EssenDally, HITECH emphasizes the concept of
"meaningful use", whereby the main components are the following:

•  The use of a cerDfied electronic health records (EHR) in a meaningful manner, such as e-‐prescribing.
•  The use of cerDfied EHR technology for electronic exchange of health informaDon to improve quality of
health care.
•  The use of cerDfied EHR technology to submit clinical quality and other measures.
EssenDally, providers need to show they're using cerDfied EHR technology in ways that are deemed beneficial,
ulDmately resulDng in the following:

•  Improvement of care coordinaDon
•  ReducDon of healthcare dispariDes
•  Engaging of paDents and their families
•  Improving the populaDon and public health
•  Ensuring adequate privacy and security


HITECH | Introduction
It’s without quesDon a transformaDonal piece of legislaDon that advocates, dictates -‐ and ulDmately requires -‐ a
significant expansion in the exchange of electronic protected health informaDon (ePHI). And for purposes of
regulatory compliance -‐ specifically for that of HIPAA Privacy and Security, the HITECH ACT component of criDcal
importance is Subpart D—No'fica'on in the Case of Breach of Unsecured Protected Health Informa'on, which
consists of the following areas:

§ 164.400 Applicability.
§ 164.402 DefiniDons.
§ 164.404 NoDficaDon to individuals.
§ 164.406 NoDficaDon to the media.
§ 164.408 NoDficaDon to the Secretary.
§ 164.410 NoDficaDon by a business associate.
§ 164.412 Law enforcement delay.
§ 164.414 AdministraDve requirements and burden of proof.

Subpart D essenDally strengthens the civil and criminal enforcements of the HIPAA Privacy and Security Rules by
placing strong requirements and mandates on breaches. For purposes of HITECH Subpart D, breach means the
following:

"The acquisi'on, access, use, or disclosure of protected health informa'on in a manner not permiEed under subpart E of this
part which compromises the security or privacy of the protected health informa'on".

AddiDonally, major changes came into play for HIPAA because of the HITTECH ACT -‐ more specifically – the Privacy
and Security Rules for HIPAA have been broadened and strengthened by the final Omnibus ruling put forth on
January, 2013. Learn more about the HITECH ACT and Subpart D by visiDng the Department of Health and Human
Services (www.hhs.gov)

25
HIPAA Security Awareness Training Requirements
It’s important to note that under the HIPAA AdministraDve Safeguards -‐ specifically -‐ 164.308(a)5 states the
following, “Standard: Security awareness and training. Implement a security awareness and training program for
all members of its workforce (including management).” This statement, though brief, requires covered enDDes,
business associates and any other relevant party to do just that -‐ undertake comprehensive security awareness
training, for “all” members within an organizaDon. The HIPAA security awareness training provided to your
organizaDon offers an in-‐depth overview on important HIPAA and HITECCH subject maUer, while also covering
dozens of criDcal informaDon security awareness topics and issues.

HIPAA Security Rule
The HIPAA Security Rule, considered rather brief in terms of length and documentaDon for regulatory compliance
legislaDon -‐ nonetheless places a large focus on the protecDon of electronically Protected Health InformaDon
(ePHI). UlDmately, this requires covered enDDes, business associates, and any other relevant parDes to have best-‐
of-‐breed operaDonal, business specific, and informaDon security policies, procedures, and pracDces in place.
While the HIPAA Security Rule technically includes parts 164.302 to 164.318, it’s the AdministraDve, Physical, and
Technical Safeguards that draw most aUenDon -‐ and righsully so -‐ as they provide explicit guidance on various
mandates that must be in place for ensuring compliance.


HIPAA Security | 164.308 Administrative Safeguards

HIPAA 164.308 requires the following:

•  Implement policies and procedures to prevent, detect, contain, and correct security violaDons.
•  IdenDfy the security official who is responsible for the development and implementaDon of the policies and
procedures required by this subpart for the enDty.
•  Implement policies and procedures to ensure that only appropriate members of the workforce have access to
ePHI.
•  Implement policies and procedures for authorized access to ePHI that are consistent with the applicable
requirements of the PR.
•  Implement a security awareness and training program for all members of its workforce (including
management).
•  Security incident procedures.
•  Establish (and implement as needed) policies and procedures for responding to an emergency or other
occurrence (for example, fire, vandalism, system failure, and natural disaster) that could damage systems
that contain ePHI.
•  Perform a periodic technical and non-‐technical evaluaDon to ensure that standards conDnue to be met in
response to operaDonal and environmental changes.
•  Business associate contracts and other arrangements.

In summary, covered enDDes, business associates and other relevant parDes are to have comprehensive policies
and procedures in place addressing the aforemenDoned areas. As an employee of your organizaDon, you have the
right to request such documentaDon from authorized personnel for gaining a greater understanding of HIPAA
164.308 and general best pracDces relaDng to the protecDon of electronically Protected Health InformaDon (ePHI).

27
HIPAA Security | 164.310 Physical Safeguards


• Implement policies and procedures to limit physical access to its electronic informaDon systems and the facility
or faciliDes in which they are housed, while ensuring that properly authorized access is allowed.
• WorkstaDon use.
• WorkstaDon security.
• Device and media controls.

Note: You may noDce the wording in HIPAA to be vague and general at Dmes, what’s important to note is that the
aforemenDoned requirements are tailored to an organizaDon’s exact needs. Specifically, that means “policies and
procedures” for a large, mulD-‐chain health care provider would be vastly different for a small denDst office. HIPAA
is also about scalability and flexibility, so please keep that in mind.


HIPAA Security | 164.312 Technical Safeguards

• Implement technical policies and procedures for electronic informaDon systems that maintain ePHI to allow
access only to those persons or sobware programs that have appropriately granted access rights.
• Implement hardware, sobware, and/or procedural mechanisms that record and examine acDvity in
informaDon systems that contain or use ePHI.
• Implement policies and procedures to protect electronic protected health informaDon from improper
alteraDon or destrucDon.
• Implement procedures to verify that a person or enDty seeking access to electronic protected health
informaDon is the one claimed.
• Implement technical security measures to guard against unauthorized access to electronic protected health
informaDon that is being transmi_ed over an electronic communicaDons network.

Note: 164.312 places a heavy emphasis on informaDon security topic, for which you’ll learn about throughout the
HIPAA security awareness training material.


HIPAA Security | Policies and Procedures

It’s worth menDon that HIPAA 164.316. “Policies and Procedures and DocumentaDon Requirements”, discuss the
importance of the following:

•  Implement reasonable and appropriate policies and procedures to comply with the standards,
implementaDon specificaDons, or other requirements of this subpart...
•  Maintain the policies and procedures implemented to comply with this subpart...
•  Retain the documentaDon required by paragraph (b)(1) of this secDon for 6 years from the date of its
creaDon or the date when it last was in effect, whichever is later.
•  Make documentaDon available to those persons responsible for implemenDng the procedures to which the
documentaDon pertains.
•  Review documentaDon periodically, and update as needed, in response to environmental or operaDonal

changes affecDng the security of the electronic protected health informaDon.


HIPAA NoDficaDon of Breaches | As Amended by the Final Omnibus Ruling | January, 2013

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) put forth the final omnibus rule,
effecDvely amending various provisions of the original 1996 HIPAA legislaDon signed into law by President Bill
Clinton. Specifically, in accordance with the HITECH Act of 2009, amendments were put forth in the final omnibus
ruling that supplemented and modified the original HIPAA Security and Privacy Rules, and the breach noDficaDon
requirements. What’s important to note about the issue of “breaches” in the context of HIPAA -‐ and specifically in
accordance with the final omnibus ruling in January, 2013, are the following:

• The final omnibus ruling effecDvely modified The “Breach NoDficaDon Rule” of 2009.
• Clarifies the definiDon of what a “breach” is.
• New risk assessment requirements put into place requiring documentaDon of such pracDces and consideraDon
of the following four (4) factors:
1. The nature and extent of the protected health informaDon involved, including the types of idenDfiers and the
likelihood of re-‐idenDficaDon.
2. The unauthorized person who used the protected health informaDon or to whom the disclosure was made.
3. Whether the protected health informaDon was actually acquired or viewed.
4. The extent to which the risk to the protected health informaDon has been miDgated.

Business Associates (BA) and their relevant third-‐party providers are also in scope for the breach noDficaDon
changes under the final omnibus ruling.

HIPAA NoDficaDon of Breaches | As Amended by the Final Omnibus Ruling | January, 2013

Other important considers regarding the enhanced breach noDficaDon rule are the following:

•  Requires a covered enDty to noDfy an individual when unsecured PHI has been improperly disclosed
•  The Department of Health and Human Services (HHS) is to be noDfied regarding confirmed breaches, either
through an annual report or sooner, depending on the number of individuals affected.
•  The definiDon of a breach, according to HHS, is the following: "acquisiDon, access, use, or disclosure" of PHI
in violaDon of the Privacy Rule that "compromises the security or privacy" of the PHI”. Thus, an
impermissible use or disclosure of PHI is presumed to be a "breach”.

There are excepDons to a “breach”, which consist of the following:

1.  Any unintenDonal acquisiDon, access or use of protected health informaDon by a workforce member (including
volunteer or trainee) or person acDng under the authority of a covered enDty or business associate, if the
acquisiDon, access or use was made in good faith and within the scope of authority and does not result in
further use or disclosure in a manner not permiUed by the Privacy Rule.
2.  Inadvertent disclosures of protected health informaDon from a person who is authorized to access protected
health informaDon at a covered enDty or business associate to another person authorized to access protected
health informaDon at the same covered enDty, business associate or organized health care arrangement in
which the covered enDty parDcipates.
3.  Where a covered enDty or a business associate has a good-‐faith belief that an unauthorized person to whom
the disclosure was made would not reasonably have been able to retain such informaDon.

AddiDonally, enhanced policies, procedures, and pracDces will need to be developed and implemented in
accordance with the final omnibus ruling.
32

HIPAA Privacy Rules

The “Privacy Rule” -‐ technically known as Standards for Privacy of Individually IdenDfiable Health InformaDon
(Subpart E) put in place a set of naDonal standards for the protecDon of certain health informaDon. The U.S.
Department of Health and Human Services (“HHS”) effecDvely issued the Privacy Rule to implement the
requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule
standards address the use and disclosure of individuals’ health informaDon—called “protected health informaDon”
by these very organizaDons subject to the Privacy Rule, such as “covered enDDes”, and at Dmes, business
associates, and their affiliates.

According to the Department of Health and Human Services, www.hhs.gov., “A major goal of the Privacy Rule is to
assure that individuals’ health informaDon is properly protected while allowing the flow of health informaDon
needed to provide and promote high quality health care and to protect the public's health and well-‐being.” As to
who specifically is covered and mandated to comply with the Privacy Rule, it generally consists of the following:

•  Health Plans
•  Health Care Providers
•  HealthCare Clearinghouses
It’s important to note that the Department of Health and Human Services, www.hhs.gov. states that “The Privacy
Rule…apply to health plans, health care clearinghouses, and to any health care provider who transmits health
informaDon in electronic form in connecDon with transacDons for which the Secretary of HHS has adopted
standards under HIPAA.” And combined with the Final Omnibus Ruling (January,2013), which includes provisions
for “business associates”, it’s safe to say that “ANY” enDty working with health informaDon and data will need to
be compliant with the HIPAA Privacy Rules and all applicable Subpart E mandates.

HIPAA Privacy Rules

As for what informaDon is protected under the Privacy Rule, it’s "individually iden'fiable health informa'on" held
or transmiUed by a covered enDty or its business associate, in any form or media, whether electronic, paper, or
oral -‐ its "protected health informaDon (PHI).As for “Individually idenDfiable health informaDon” according to
www.hhs.gov, this is informaDon, including demographic data, that relates to:

•  The individual’s past, present or future physical or mental health or condiDon,
•  The provision of health care to the individual, or
•  The past, present, or future payment for the provision of health care to the individual.

A large part of the Privacy Rule deals specifically with “uses and disclosures” -‐ defining and limiDng the
circumstances in which an individual’s protected heath informaDon may be used or disclosed by covered enDDes,
business associates, and their affiliates. Subpart E 164.502 to 164.514 discuss in much more detail the various
provisions of “uses and disclosures”.

In all, the Privacy Rule covers the following four (4) broad-‐based areas and respecDve requirements:

•  Uses and Disclosures
•  Individual Rights
•  AdministraDve Requirements
•  General Safeguards and Best PracDces

HIPAA Privacy | 164.500 - 164.534
Technically speaking Subpart E of the HIPAA Privacy Rules contains the following:

•  § 164.500 Applicability
•  § 164.501 DefiniDons
•  § 164.502 Uses and disclosures of protected health informaDon: general rules
•  § 164.504 Uses and disclosures: organizaDonal requirements
•  § 164.506 Uses and disclosures to carry out treatment, payment, or health care operaDons
•  § 164.508 Uses and disclosures for which an authorizaDon is required
•  § 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object
•  § 164.512 Uses and disclosures for which an authorizaDon or opportunity to agree or object is not required 58
•  § 164.514 Other requirements relaDng to uses & disclosures of protected health informaDon
•  § 164.520 NoDce of privacy pracDces for protected health informaDon
•  § 164.522 Rights to request privacy protecDon for protected health informaDon
•  § 164.524 Access of individuals to protected health informaDon
•  § 164.526 Amendment of protected health informaDon
•  § 164.528 AccounDng of disclosures of protected health informaDon
•  § 164.530 AdministraDve requirements
•  § 164.532 TransiDon provisions
•  § 164.534 Compliance dates for iniDal implementaDon of the privacy standards


HIPAA Privacy | 164.500 - 164.534
As menDoned earlier, Privacy Rule covers the following four (4) broad-‐based areas and respecDve requirements:

•  Uses and Disclosures
•  Individual Rights
•  AdministraDve Requirements
•  General Safeguards and Best PracDces

To learn more about the Privacy Rule,
please visit the Department of Health and
Human Services (HHS) at:
hUp://www.hhs.gov/ocr/privacy/hipaa/
understanding/summary/index.html

HIPAA Privacy | General Principles for Uses and Disclosures

It’s important to note that major purpose of the Privacy Rule is to effecDvely define -‐ and ulDmately limit-‐
circumstances and situaDons for which an individual’s protected heath informaDon (PHI) may be used and/or
disclosed by covered enDDes -‐ and also business associates, and their affiliates. As such, a covered enDty may
therefore not use or disclose protected health informaDon, except either as permiUed and/or required by the
Privacy Rule, or by the individual -‐ or that individual’s personal representaDve -‐who authorizes such in wriDng.
More specifically, a covered enDty must disclose protected health informaDon in only the following two situaDons:
(a) to individuals (or their personal representaDves) specifically when access is requested, or an accounDng of
disclosures of, their protected health informaDon; and (b) to the actual Department of Health and Human Services
(HHS) for purposes of a compliance invesDgaDon or review or enforcement acDon.

It’s also important to keep in mind that HIPAA amendments and revisions (i.e., final omnibus ruling, changes and
advances in technology, other legal issues) have brought “business associates” into the scope for purposes of the
HIPAA Privacy Rule. It’s a best pracDces to now adopt and implement many of the required policies, procedures,
and pracDces within the HIPAA Privacy Rule -‐ originally only intended for covered enDDes -‐ to now include business
associates and other their affiliates. The “downstream effect” of accountability has taken root, clearly brining other
organizaDons into scope for the HIPAA Privacy Rule.


HIPAA Privacy | Permitted Uses and Disclosures
As for “PermiUed Uses and Disclosures”, as an employee you need to know that a covered enDty (and other
relevant parDes) is permiUed -‐ but not required -‐ to use and disclose protected health informaDon, without an
individual’s authorizaDon, for the following purposes or situaDons (source: www.hhs.gov):
1.  To the Individual (unless required for access or accounDng of disclosures.
2.  Treatment, Payment, and Health Care OperaDons.
3.  Opportunity to Agree or Object.
4.  Incident to an otherwise permiUed use and disclosure.
5.  Public Interest and Benefit AcDviDes.
6.  Limited Data Set for the purposes of research, public health or health care operaDons.18 Covered enDDes may
rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to
make.

Each of the above condiDons warrants further explanaDon, so please consider the following regarding these items:

1.  “To the Individual”. It means just that -‐ a covered enDty (and other relevant parDes) may disclose protected
health informaDon to the individual who is the subject of the informaDon.
2.  “Treatment, Payment, and Health Care OpDons”. Generally speaking, a covered enDty (and other relevant
parDes) may use and disclose protected health informaDon for its own treatment, payment, and health care
operaDons acDviDes. Furthermore, a covered enDty (and other relevant parDes) also may disclose protected
health informaDon for the treatment acDviDes of any health care provider, the payment acDviDes of another
covered enDty and of any health care provider, or the health care operaDons of another covered enDty
involving

2.  either quality or competency assurance acDviDes or fraud and abuse detecDon and compliance acDviDes, if both
covered enDDes (or other relevant parDes) have or had a relaDonship with the individual and the protected
health informaDon pertains to the relaDonship.
3.  “Opportunity to Agree or Object”. Informal permission can also be obtained by asking the individual outright,
or by relevant circumstance or situaDons that clearly give the individual the opportunity to agree, acquiesce, or
object.
4.  “Incident to an otherwise permiUed use and disclosure”. The Privacy Rule also permits certain incidental uses
and disclosures that occur as a by-‐product of another permissible or required use or disclosure, as long as the
covered enDty (or other relevant party) has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable. Furthermore, an incidental use or disclosure is a secondary use or
disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use
or disclosure that is permiUed by the Rule. Source: www.hhs.gov | Incidental Uses and Disclosures)
5.  “Public Interest and Benefit AcDviDes”. The Privacy Rule permits use and disclosure of protected health
informaDon, without an individual’s authorizaDon or permission, for 12 naDonal priority purposes, which are
the following:
1.  Required by Law

2.  Public Health AcDviDes
3.  VicDms of Abuse, Neglect, DomesDc Violence


4.  Health Oversight AcDviDes
5.  Judicial and AdministraDve Proceedings
6.  Law Enforcement Purposes
7.  Decedents
8.  Cadaveric Organ, Eye, or Tissue DonaDon
9.  Research
10.  Serious Threat to Health or Safety
11.  EssenDal Government FuncDons
12.  Worker’s CompensaDon

6.  “Limited Data Set”. A limited data set, which essenDally is protected health informaDon that specified direct
idenDfiers of individuals and their relaDves, household members, and employers have been removed -‐ may be
used and disclosed for research, health care operaDons, and public health purposes, provided applicable criteria
is met.


HIPAA Privacy | Authorized Uses and Disclosures

Whereas “PermiUed Uses and Disclosures” allow covered enDDes (and other relevant parDes) to disclose protected
health informaDon, “Authorized Uses and Disclosures” state that a covered enDty (or other relevant party) must
obtain the individual’s wriUen authorizaDon for any use or disclosure of protected health informaDon that is not for
treatment, payment or health care operaDons or otherwise permiUed or required by the Privacy Rule. AddiDonally,
a covered enDty (or other relevant third party) may “…not condiDon treatment, payment, enrollment, or benefits
eligibility on an individual granDng an authorizaDon, except in limited circumstances”. (source: www.hss.gov |
Authorized Uses and Disclosures.

As for actual “authorizaDon”, it must be wriUen, in plain language, and in specific terms. AddiDonally, it must
contain specific informaDon regarding the informaDon to be disclosed or used, the person(s) disclosing and
receiving the informaDon, expiraDon, right to revoke in wriDng, etc.


HIPAA Privacy | Individual Rights
Individuals also have numerous rights that have been well-‐documented within the HIPAA Privacy Rule, specifically,
the following:

• The right to access Protected Health InformaDon (PHI) by and individual, which is oben referred to as a paDent.
• The right to for requesDng certain restricDons regarding the use and disclosure of PHI.
• The right to authorize markeDng communicaDon.

More specifically, the following secDons within Subpart E, § 164.500 through § 164.534 discuss various privacy
rights for individuals:

• § 164.520 -‐ “an individual has a right to adequate noDce of the uses and disclosures of protected health informaDon…”.
• § 164.522 -‐ “must permit an individual to request that the Covered EnDty restrict use or disclosure of Protected Health
InformaDon about the individual to carry out treatment, payment or health care operaDons and restricDons related to
family members, friends…”
• § 164.524 -‐ “an individual has a right of access to inspect and obtain a copy of Protected Health InformaDon about the
individual in a designated record set, for as long as the protected health informaDon is maintained in the designated record
set”.
• § 164.526 -‐ “An individual has the right to have a Covered EnDty amend Protected Health InformaDon in a designated
record set for as long as the Protected Health InformaDon is maintained in the record set”.
• § 164.528 -‐ Similar in context to § 164.526.
AddiDonally, many other individual (i.e., paDent) rights are discussed within the aforemenDoned secDons of Subpart E, §
164.500 through § 164.534.

HIPAA Privacy | Administrative Requirements
The HIPAA AdministraDve Requirements -‐ specifically HIPAA Privacy §164.53 outline in detail various broad-‐based
measures required to be in place by covered enDDes, such as the following:

•  Personnel DesignaDons: A covered enDty must designate a privacy official who is responsible for the development and
implementaDon of the policies and procedures of the enDty.

•  Workforce Training: A covered enDty must train all members of its workforce on the policies and procedures with respect
to protected health informaDon. More specifically, a covered enDty must provide training that meets the requirements in
the following manner: (A) no later than the compliance date for the covered enDty. (B) Within a reasonable period of Dme
aèr the person joins the covered enDty's workforce. (c) To each member of the covered enDty's workforce whose funcDons
are affected by a material change in the policies or procedures. AddiDonally, a covered enDty must document that the
training has been provided, as required.

•  Safeguards: A covered enDty must have in place appropriate administraDve, technical, and physical safeguards to protect
the privacy of protected health informaDon. AddiDonally, a covered enDty must reasonably safeguard protected health
informaDon from any intenDonal or unintenDonal use or disclosure. Moreover, a covered enDty must reasonably safeguard
protected health informaDon to limit incidental uses or disclosures.

•  Complaints: A covered enDty must provide a process for individuals to make complaints concerning the covered enDty's
policies and procedures.

•  SancDons: A covered enDty must have and apply appropriate sancDons against members of its workforce who fail to
comply with the privacy policies and procedures of the covered enDty.
•  MiDgaDon: A covered enDty must miDgate, to the extent pracDcable, any harmful effect that is known to the covered
enDty of a use or disclosure of protected health informaDon in violaDon of its policies and procedures.


HIPAA Privacy | Administrative Requirements 164.530

•  Waiver of Rights: A covered enDty may not require individuals to waive their rights under § 160.306 of this subchapter.

•  Policies and Procedures: A covered enDty must implement policies and procedures with respect to protected health
informaDon that are designed to comply with the standards, implementaDon specificaDons, or other requirements.
AddiDonally, a covered enDty must change its policies and procedures as necessary and appropriate to comply with
changes in the law.

•  Changes in Law: Whenever there is a change in law that necessitates a change to the covered enDty's policies or
procedures, the covered enDty must promptly document and implement the revised policy or procedure.

•  Changes to Privacy PracDces: To implement a change, a covered enDty must:
(A) Ensure that the policy or procedure, as revised to reflect a change in the covered enDty's privacy pracDce as stated in its
noDce, complies with the standards, requirements, and implementaDon specificaDons. (B) Document the policy or
procedure.(C) Revise the noDce as required by § 164.520(b)(3) to state the changed pracDce and make the revised noDce
available as required by § 164.520(c).
•  Group Health Plans: A Group Health Plan that provides all health benefits through issuer or HMO and does not create or
receive PHI other than summary health informaDon or enrollment/disenrollment informaDon is NOT subject to the
requirements of this secDon except, the following:
•  ProhibiDng waiver of rights,

•  ProhibiDng retaliaDon and inDmidaDon and
•  DocumenDng plan amendments


HIPAA Privacy | General Safeguards and Best Practices
While not an explicit secDon under the HIPAA Privacy Rule -‐ collecDvely speaking -‐ general safeguards and best
pracDces are discussed and enumerated throughout § 164.500 through § 164.534 through the following examples
of verbiage:

•  The business associate will appropriately safeguard the informaDon -‐ -‐§ 164.502.
•  Use appropriate safeguards to prevent use or disclosure of the informaDon other than as
provided for by its contract -‐ § 164.504.
•  Use appropriate safeguards to prevent use or disclosure of the informaDon other than as
provided for by the data use agreement -‐ § 164.514.

•  “A covered enDty must reasonably safeguard protected health informaDon” -‐ § 164.530.
•  A covered enDty must have in place appropriate administraDve, technical, and physical
safeguards -‐ § 164.530.
•  A covered enDty must reasonably safeguard protected health informaDon to limit

incidental uses or disclosures -‐ § 164.530.
•  A covered enDty must implement policies and procedures with respect to protected health
informaDon -‐ § 164.530.

Covered Entities

As defined by HIPAA, covered enDDes are defined as (1) health plans, (2) health care clearinghouses, and (3) health
care providers who electronically transmit any health informaDon in connecDon with transacDons for which the
Department of Health and Human Services has adopted such standards. Generally speaking, transacDons
undertaken by covered enDDes encompass billing and payment for health care services or insurance coverage.
Hospitals, medical centers, physician offices, and numerous other health care providers who electronically transmit
health care informaDon are deemed to be covered enDDes. More specific examples of covered enDDes, for
purposes of HIPAA’s three (3) main categories, consist of the following:

• Health Plans: Health insurance companies, HMOs, Company health plans, Government programs that pay for
health care, such as Medicare, Medicaid, and the military and veteran’s health care programs.
• Health Care Clearinghouses: This includes enDDes that process nonstandard health informaDon they receive from
another enDty into a standard (i.e., standard electronic format or data content), or vice versa.
• Health Care Providers: Doctors, Clinics, Psychologists, DenDsts, Chiropractors, Nursing Homes, and Pharmacies

Source: h_p://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredenDDes/

Business Associates
The definiDon of a “business associate” has fundamentally changed with the Final Omnibus Ruling of January, 2013,
which effecDvely expands and increases the scope and accountability of such organizaDons. IniDally, a business
associate was defined as “a person or enDty that performs certain funcDons or acDviDes that involve the use or
disclosure of protected health informaDon on behalf of, or provides services to, a covered enDty”. With the Final
Omnibus Ruling, it’s been significantly enhanced to include the following provisions:

“…a person or enDty that creates, receives, maintains or transmits protected health informaDon to perform certain
funcDons or acDviDes on behalf of a covered enDty”. AddiDonally, the following three (3) different types of service
providers are now specifically idenDfied as business associates under the final rule:

1. Health informaDon organizaDons, e-‐prescribing gateways, and other people or enDDes that provide data
transmission services to a covered enDty with respect to protected health informaDon and that require access on
a rouDne basis to such protected health informaDon
2. People or enDDes that offer personal health records to one or more individuals on behalf of a covered enDty
3. Subcontractors that create, receive, maintain or transmit protected health informaDon on behalf of business
associates

In summary, there’s now a clear “downstream effect” in place -‐ specifically, rights, duDes, and obligaDons for which
a business associate is responsible for are now also the responsibility of subcontractors and other related parDes.
UlDmately, business associates will need to enter into “business associate contracts” with such downstream
providers -‐ and in turn -‐ these downstream providers will need to enter into contractual relaDonships with their
providers, etc.


Business Associates
According to www.hhs.gov, the following are examples of business associates:

•  A third party administrator that assists a health plan with claims processing.
•  An accounDng firm whose accounDng services to a health care provider involve access to protected health
informaDon.
•  An a_orney whose legal services to a health plan involve access to protected health informaDon.
•  A consultant that performs uDlizaDon reviews for a hospital.
•  A health care clearinghouse that translates a claim from a non-‐standard format into a standard transacDon on
behalf of a health care provider and forwards the processed transacDon to a payer.
•  An independent medical transcripDonist that provides transcripDon services to a physician.
•  A pharmacy benefits manager that manages a health plan’s pharmacist network.


Final Omnibus Ruling (January, 2013)
In January, 2013, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released its final
regulaDons containing modificaDons to the HIPAA Privacy, Security, Enforcement, and Breach NoDficaDon Rules
(Final Omnibus Ruling), which paved the way for dramaDc changes to HIPAA, parDcularly to the Privacy and Security
Rules. In the past, HIPAA compliance was lacking any real regulatory compliance “teeth” -‐ a law that simply
advocated voluntary compliance. Fast-‐forward to 2013 and what’s now in place are real and severe penalDes, along
with enhanced compliance requirements for covered enDDes, business associates, and other related parDes.
Notable points worth menDoning for purpose of HIPAA Security Awareness and Workforce Training are the
following:

• PenalDes that range from $100 to $50,000 per violaDon, depending on the level of culpability, with a $1.5 million
cap per calendar year for mulDple violaDons of idenDcal provisions, and criminal penalDes of up to 10 years in
prison.
• Significantly changes the breach noDficaDon analysis with a four (4) point process to test and ulDmately
determine whether or not protected health informaDon (PHI) has been compromised, thus requiring breach
noDficaDon.
• Regarding markeDng, the final rule requires authorizaDon for all treatment and health care operaDons
communicaDons whereby the covered enDty receives financial remuneraDon from the third party whose
products or services are being marketed, though there sDll are excepDons.
• Streamlined authorizaDon requirements for the use of individuals’ PHI for research purposes.

Final Omnibus Ruling (January, 2013)
•  Clarified that while business associates are not subject to all requirements of the Privacy Rule, they are
to:
•  Comply with the terms of a business associate agreement related to the use and disclosure of PHI;
•  Provide PHI to the Secretary upon demand;
•  Provide an electronic copy of PHI available to an individual (or covered enDty) related to an
individual’s request for an electronic copy of PHI;
•  Make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended
purpose of the use, disclosure, or request; and
•  Enter into business associate agreements with subcontractors that create or receive PHI on their
behalf.

Helpful HIPAA Resources
HIPAA is large, expansive, and complex piece of legislaDon, one that requires long hours of studying for
understanding all of its working parts. However, there are numerous helpful resources that effecDvely break
down, clarify, and disDll the actual law without having to mine through the actual legislaDve publicaDon. Spend
some Dme visiDng the following websites for gaining a stronger understanding of HIPAA:

The Department of Health DHHS NaDonal Centers for Medicare

and Human Services InsDtutes of Health and Medicaid Services

FERPA

The Family EducaDonal Rights and Privacy Act, simply known as FERPA, is a federal law designed to protect the
privacy of student educaDon records, establish the right of students to inspect and review their educaDon
records, along with providing guidelines for the correcDon of inaccurate and misleading informaDon. In essence,
it gives students the rights to inspect and review their educaDon records, seek to amend their educaDon records
when there has been a legiDmate error recorded, while also having a fair amount of control over the release of
informaDon from their educaDon records. If, at any Dme this organizaDon holds student informaDon of any type
and in any format (hard copy or electronic medium), it will be important to learn more about FERPA, for which
human resources will provide such informaDon. AddiDonally, if you have children, it’s important to know they
have rights over their student educaDon records.
FACTA

Known as the Fair and Accurate Credit TransacDon Act of 2003 -‐ FACTA or the FACT ACT-‐ as it’s commonly
referred to, contains essenDal provisions for helping reduce the growing problem of idenDty the` by allowing
consumers to place fraud alerts on consumer reporDng agency files (i.e., the credit scoring bureaus).
AddiDonally, FACTA also prohibits businesses from prinDng more than 5 digits of any customer's card number or
card expiraDon date on any receipt provided to the cardholder at the point of sale or transacDon. Furthermore,
FACTA mandates that regulaDons be established by certain government agencies regarding the detecDon of
idenDty the` by financial insDtuDons and creditors. As an employee, you need to be aware of these provisions
regarding the protecDon of any consumer informaDon held by the organizaDon. AddiDonally, if you feel your
idenDty has been compromised in any way, then it’s important to place “fraud alerts” on your consumer
informaDon with the major credit reporDng agencies. You can learn more about FACTA by searching online,
where numerous resource are available.
52
Red Flags Rules

The Red Flags Rule was created by the Federal Trade Commission (FTC) for purposes of fighDng idenDfy the`
and it generally applies to financial insDtuDon and creditors. As for a “Financial insDtuDon” it’s defined as a state
or naDonal bank, a state or federal savings and loan associaDon, a mutual savings bank, a state or federal credit
union, or any other enDty that holds a “transacDon account” belonging to a consumer. As for a “creditor”, it
applies to any enDty that regularly extends or renews credit – or arranges for others to do so – and includes all
enDDes that regularly permit deferred payments for goods or services.

Thus, the Red Flags Rule sets out how certain businesses and organizaDons must develop, implement, and
administer their IdenDty The` PrevenDon Programs, which must include the following four basic elements:

•  IdenDfy Relevant Red Flags
•  Detect Red Flags
•  Prevent and MiDgate IdenDty Theb
•  Update Program

AddiDonally, the Red Flags Rules provide all financial insDtuDons and creditors the opportunity to design and
implement a program that’s appropriate to their size and complexity, and specific for their business. Lastly, it’s
important to note that “red flags” fall under the following five (5) categories:

•  Alerts, noDficaDons, or warnings from a consumer reporDng agency
•  Suspicious documents
•  Suspicious idenDfying informaDon, such as a suspicious address
•  Unusual use of – or suspicious acDvity relaDng to – a covered account
•  NoDces from customers, vicDms of idenDty theb, law enforcement authoriDes, or other businesses about
possible idenDty theb in connecDon with covered accounts

PCI DSS

PCI, according to the Payment Card Industry Security Standards Council, is the following:

"The PCI DSS is a mul'faceted security standard that includes requirements for security management, policies,
procedures, network architecture, soVware design and other cri'cal protec've measures. This comprehensive
standard is intended to help organiza'ons proac'vely protect customer account data.“

Source: h_p://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

In simpler terms, it’s about ensuring the protecDon of cardholder data being stored, processed, or transmiUed
by merchants, service providers, and other affiliated enDDes. Stop and think about all the organizaDons that
“touch” credit cards, and one can quickly see how widespread the adopDon of PCI actually is. Name an industry
or business sector, and chances are highly likely – almost certain – that PCI is a large and notable presence, one
that requires constant effort and aUenDon. At a high level, that’s what PCI is -‐ as for the actual PCI DSS
requirements -‐ they consist of what’s known as twelve (12) core “Requirements” – mandates for protecDng
cardholder data. And within these twelve (12) requirements are provisions for various policies, procedures,
forms, etc. to be in place.

GLBA

The Gramm Leach Bliley Act, simply known to many as GLBA,
while it repealed provisions within the 1933 Glass -‐ Stegall Act,
nevertheless contains a number of important mandates relaDng
to regulatory compliance in the financial services world.
Specifically, the "Financial Privacy Rule", "Safeguards Rule" and
"PretexDng ProtecDon" literature within GLBA created strict
requirements for privacy, protecDng and disclosing various
types of informaDon, along with other measures.

organizaDons offering financial products or services to consumers, certain regulatory compliance guidelines
For
relaDng to "privacy” noDces and informaDon disclosure pracDces regarding consumer's informaDon must be met,

no excepDons. As a result, banks, securiDes firms -‐ just to name a select few -‐ and other financial insDtuDons are

required to make these disclosures to both their customers and consumers.

Please note that for purposes of GLBA compliance, a "financial insDtuDons" is an organizaDon that's "significantly

engaged" in "financial acDviDes", such as offering products and services to individuals, such as loans, financial and
investment advice, insurance, etc. Some common examples of "financial insDtuDons" include mortgage lenders,

credit counseling services, collecDon agencies, along with a laundry list of other enDDes. Simply stated, if your

organizaDon provides services to "customers" and "consumers" for which a financial product or service is involved-‐
then it's highly likely GLBA compliance is a must. And if you're curious, a "consumer" is defined as someone that

obtains or has obtained financial products or services from an actual financial insDtuDon, and for which is being

used primarily for personal, family, or household purposes, or for that individual's legal representaDve.

As for a customer, they are actually a "consumer" who has a "conDnuing relaDonship" with a financial insDtuDon.


GLBA

The Safeguards Rule requires that financial insDtuDons have an adequate security plan in place for protecDng
the confidenDal informaDon of consumers. This "security plan" ulDmately requires procedures for properly
dispose of consumer report informaDon, along with general guidelines for ensuring compliance with the
privacy provisions within GLBA.

As for PretexDng ProtecDon, this ulDmately requires that safeguards be in place for protecDng against
"pretexDng" measures, which can include any type of deliberate aUempt to gain access to private informaDon
for which an individual is explicitly not allowed to access.


Other Regulations

The aforemenDoned laws and regulaDons consist of
some of the most well-‐known pieces of legislaDon
affecDng business today, but there are many, many
more. Keep in mind that the main focus of any
regulaDon – for purposes of security awareness – is
gaining a high level understanding of the ruling, and
the relevant informaDon security implicaDons
accompanying such laws. As society conDnues to
push aggressively forward with the use of
informaDon technology, there’s sure to be even
more compliance rulings ushering out of the halls
of legislaDve bodies around the world. From data
security acts to industry specific mandates, there’s
simply no shortage of regulatory compliance, so
keep that in mind when undertaking your daily
responsibiliDes for your organizaDon.

Security Awareness Topics
With some basic knowledge of informaDon security provided to you, along with an introducDon numerous laws,
regulaDons, and industry specific mandates, it's now Dme to focus on a number of key security awareness subject
maUer topics. Please note that the informaDon presented serves to educate employees and other in-‐scope
personnel on general best pracDces for informaDon security, which directly correlates to the numerous HIPAA
mandates put forth for the protecDon of Protected Health InformaDon (PHI). Security awareness is much more
than just protecDng sensiDve and confidenDal informaDon for purposes of compliance, it's about being aware and
responsive at all Dmes to any incidents potenDally affecDng the safety and security of our organizaDon, and to you
personally. Remember, adopDng the Department of Homeland Security's (DHS) moUo for reporDng suspicious
acDvity -‐ "If You See Something, Say Something™" -‐ is a pracDcal way to look at security awareness in today's world
of growing security threats.

Let's look at a number of criDcal security awareness topics you need to know about for helping ensure the safety
and security of both you and the organizaDon. Please keep in mind that the list is extensive, much like the threats
that have evolved in recent years.

Account Security and Access Rights

One of the most fundamentally important aspects of informaDon security is protecDng your unique username
and log-‐in credenDals to any number of system components, and to your personal accounts.

Stop and think of all the highly sensiDve and confidenDal informaDon you access each and every day, all with a
quick stroke of the keyboard or punching in pin numbers. Our lives truly are controlled by technology, yet you
have a responsibility to the companies that employ you to protect such informaDon, which means doing the
following:

•  Using strong passwords, passcodes, and PIN numbers, and
changing them on a frequent basis.
•  Never giving your username, password or any other
account login credenDals to anyone.
•  Never wriDng down your username, password or any other
account login credenDals and leaving such informaDon
available for public viewing.
•  Never trying to gain access to informaDon for which you
are not authorized.

Malware

There’s a never-‐ending list of malicious so`ware trying
to harm and destroy computers, making it criDcally
important to use anD-‐malware soluDons all Dmes,
especially anD-‐virus, which is the cornerstone of
protecDng your computer. AddiDonally, the anD-‐virus
should be current and updated, and scanning your
computer on a regular basis. There are numerous other
anD-‐malware soluDons available -‐ many of them quite
effecDve, but just remember that the foundaDon of
protecDng your computer starts with anD-‐virus. Simply
stated, you need to have it and it needs to be running all
the Dme. From your workstaDons at work, to your home
computers and laptops, they all need current ant-‐virus
so`ware.

Security Updates

While I.T. professionals are busying updaDng and applying criDcal security patches to your organizaDon's system
components, it’s important that all employees also do the same for many of their devices, parDcularly
applicaDons used on a daily basis. Security is the first and foremost reason for applying security updates, but
there are other benefits also, such as new and enhanced features, improved performance and stability.
AddiDonally, security updates are almost always free -‐ so there's another compelling reason! Along with
ensuring that a current and stable version of anD-‐virus is being used, the following are to be updated
accordingly:

•  Internet browsers: UpdaDng browsers (Internet Explorer, Mozilla, and Google Chrome) is extremely
important for ensuring all web pages display correctly, security holes are not sDll present, and all
performance features are maximized.
•  Microsob Windows OperaDng Systems: Simply automaDng the "Windows Update" service is all that really
needs to be done, so visit your "Control Panel" and enable this feature, which may likely be on anyway.
•  Portable Document Format (PDF) | Adobe: Hackers can create malicious files and other executable that can
exploit Portable Document Format (PDF) protocol so`ware, therefore it's important to click "yes" when
Adobe so`ware asks if you want to make security updates.
•  Other essenDal applicaDons: There's an almost endless list of applicaDons being used today, so keep a list
handy of what's on your computer, making sure to perform security updates as required for not only safety,
but performance and so`ware stability.

Clean Desk Policy

Keeping your desk free of cluUer and unnecessary items helps in
promoDng a professional work environment, while also ensuring
the safety and security of sensiDve documents and assets.
Because employees all leave their workstaDons throughout the
day for any number of reasons, make sure to turn off your
computers or at the very minimum, enable the password
protected screensaver. AddiDonally, remove any sensiDve hard-‐
copy documentaDon and electronic media (USB drives, disks,
etc.) and store in a secure locaDon, such as a locked file drawer
or cabinet nearby.
For any documents no longer needed for work, make sure to shred or place in a secure bin such material, regardless
of sensiDvity, never placing such documents in any public trash can, such as those immediately in your workspace.
Never use Post-‐it notes or other forms of notes and reminders in your workstaDon that contain sensiDve and
confidenDal informaDon, such as passwords, account informaDon, etc. Furthermore, if you have visitors at your
workstaDon, please put away all sensiDve and confidenDal informaDon. If you incur an extended absence from
work, such as holidays, vacaDon, etc. – please clear your desk of all items considered sensiDve and confidenDal.
Lastly, do a brief check before leaving your workstaDon for the day, securing all appropriate items.

Workstation Security

ProtecDng your workstaDon area -‐ specifically your desktop computer and other supporDng devices -‐ is an
important duty all employees should take very seriously. While many of the workstaDon security best pracDces
menDoned below are also discussed in other areas of the security awareness training program, you'll find
addiDonal requirements, Dps, and suggesDons considered important. Employees spend long hours at their
workstaDons, so it's criDcal to implement the following best pracDces:

It's your workstaDon. That means only you should be using it, and primarily for business purposes only. Sure,
it's fine to conduct personal acDviDes also, such as checking your email, logging into online banking, even
accessing a few of the accepted social media plasorms, such as Facebook and LinkedIn. Allowing other
employees to use your workstaDon is strictly prohibited, so be aware of this. Imagine another employee using
your workstaDon, accessing the Internet and possibly downloading unsuspected malware, sending an
unprofessional email, or any other acDon? It happens all the Dme and you don't want to be blamed for
something you didn't do, so don't share your workstaDon rights.

Use strong passwords. While most passwords will be enforced by group policy seqngs from I.T. personnel, it’
sDll important to make them unique, never using informaDon pertaining to your favorites sports team, home
address, middle name, etc. With password complexity requirements in place oèn requiring the use of symbols
and numbers and other mandates, it’s also a good idea to adopt the same policies to other systems and
websites that you personally have administraDve password access right to, such as online banking, social media
accounts, or any business accounts that are not group policy enforced by I.T. personnel.



Security updates. Make sure your workstaDon computer has all the required security updates for the operaDng
system and all other applicaDons running. This also means having anD-‐virus running at all Dmes and conducDng
periodic scans. AddiDonally, the use of anD-‐spyware may also be required as it provides addiDonal layers of
protecDon, especially during Internet usage. While most of the security updates are "pushed" out and managed
by I.T. personnel, at Dmes you'll sDll need to accept these updates.

Don't alter security seyngs. Your workstaDon has been configured for maximum security along with
performance, so do not aUempt to disable or modify configuraDon seqngs to the operaDng system or any other
applicaDons. Doing so may increase security vulnerabiliDes that would ulDmately allow malicious files and other
harmful scripts to reside on the workstaDon.

Don't install any unapproved sobware. Your workstaDon has also been configured for providing you the
necessary tools in performing daily roles and responsibiliDes, which means no addiDonal so`ware is needed.
Do not download or install into any of the drives or ports addiDonal so`ware that has not been approved as it
may contain malicious files, could consume addiDonal resources, or is simply not professionally suitable for the
work environment.

Removable storage devices. They're easy-‐to-‐use, inexpensive, and a great way for transferring informaDon, yet
they're also incredibly dangerous when the wrong informaDon is on them and in the wrong hands. With that
said, USB ports, such as thumb drives, external hard drives, and other removal storage and memory devices are
never to contain highly sensiDve and confidenDal informaDon, such as Personally IdenDfiable InformaDon (PII),
or any other data deemed privileged. Such informaDon should be transferred over the network using approved
protocols and residing on company servers only.



Use cauDon with email. Be careful when opening emails from unknown parDes, especially aUachments. If it
looks suspicious, do not open the email under any circumstances. AddiDonally, avoid clicking on links or
banner adverDsements sent to you as these oèn containing spyware, malware, etc.

Be mindful of Instant Messaging. Instant messaging is considered fun, informal, and an easy and affordable
way to communicate – all of which are true. Just be very careful as to the types of informaDon you’re sending
and receiving via instant messaging, which ulDmately means not transmiqng any type of highly sensiDve,
confidenDal, or privilege informaDon. This includes what’s commonly known as Personally IdenDfiable
InformaDon (PII) – unique idenDfiers for any individual, such as social security numbers, dates of birth, medical
accounts, etc. If you’re not sure as to the sensiDvity of the informaDon, don’t send it over IM.

Handle privileged informaDon with care. From emails containing sensiDve informaDon to hard copy
documents for contracts, trade secrets, or any other type of confidenDal data, treat it with the utmost care
and professionalism, making every effort to protect its confidenDality and integrity. Don’t divulge such
informaDon to unintended parDes and never leave items (both hard copy and electronic media) unaUended in
public at any Dme (i.e., coffee shops, training seminars, conferences, etc.).

Report security issues immediately. Remember, if you see something, say something – and immediately. You
have a responsibility for helping protect the organizaDon, which means being aware of your surroundings and
reporDng suspicious acDvity to authorized personnel – immediately. From seeing a door ajar that shouldn’t be
to finding sensiDve documents lying in a commons area, you need take acDon.

Shut down and protect your workstaDon. When leaving your workstaDon area at the end of each day, make
sure to completely shut down and turn off all computers and related devices. AddiDonally, pickup and store
any documents, electronic media, or any business and/or professional items that should not be le`
unaUended. Use your judgment by asking yourself the following simple quesDon – “what risk or security
danger is there for leaving something not securely locked up and put away?”
65
Laptop Security

Securing your laptop at all Dmes is extremely criDcal, and it requires comprehensive measures regarding its
physical security, while also protecDng all electronic data residing on it. From travelling for meeDngs to
connecDng to open public wireless access points, your laptop is a constant source of target, so beware. Take
the following precauDons for securing what’s arguably one of your most important possessions:
Use EncrypDon. The use of full-‐disk encrypDon ensures that safety and security of data (i.e., user files, swap
files, system files, hidden files, etc.) residing on your laptop, especially if it’s stolen, lost, or misplaced.

Use AnD-‐virus. It’s one of the most fundamentally important – and oèn not used – security so`ware, so make
sure your laptop has anD-‐virus running at all Dmes, along with its scanning at regular intervals for viruses, and
that the so`ware is current.

Turn on your firewall. Blocking suspicious traffic is essenDal for laptop security, so turn on and “enable” your
default personal firewall or an approved personal firewall so`ware appliance, for which there are many
available

Use strong passwords. When turning on your laptop, your iniDal password should be extremely strong, with a
combinaDon of leUers, numbers, and symbols used. Once your iniDal password is compromised, the contents
of your enDre laptop (especially if you’re not using full-‐disk encrypDon) can be compromised. Don’t use terms
and phrases for which somebody might find an associaDon with you, such as favorite football team, home
address, middle name, etc.

It’s your laptop. Therefore, don’t let other individuals use it, especially if it’s somebody you don’t know. When
situaDons arise that require it to be used by someone other than you, create a guest account for their use.


Laptop Security

Secure it physically. A good investment is a security cable with a lock for
securing your laptop at a workstaDon or any other locaDon that requires
such. They’re relaDvely inexpensive and a great deterrent to any thief.

Keep a watchful eye. Don’t ever leave your laptop unaUended in any
public venue or locaDon not considered safe. That means not using the
coffee house phrase “can you watch my laptop for a minute as I go to the
restroom”, or any other similar thought process. Being vigilant and watchful
at all Dmes is a must for the safety and security of your laptop, so
remember – do not leave it unaUended – plain and simple. If you have to
leave in your hotel room or some other locaDon, then remove it from sight
and place under a pillow, in a closet, or some other locaDon. The best
safety measure is to carry it with you at all Dmes.

Place your contact informaDon somewhere visible. Because most people
are honest and trustworthy, should your laptop be stolen, misplaced or lost
– and then subsequently found by a good Samaritan – you’ll clearly want
your name, phone number, address, and/or email visible on it. Put a sDcker
on the cover or back of your laptop with all your relevant contact
informaDon.

And if your laptop is stolen. Laptops unfortunately do get stolen, so think and act quickly, which means reporDng
the the` to local authoriDes along with informing management (and the I.T. department) immediately.

Software Licensing and Usage

It’s also important to understand the company’s general policy on so`ware usage, which includes numerous
responsibiliDes that all employees need to be aware of. So`ware is used by all of us, each and every day, as it’s
vital to performing daily tasks for one’s job funcDon. With that said, please be mindful of the following issues:
Use only approved sobware. Only so`ware approved and purchased from the company may be installed and
used on any company-‐wide system components. This includes your workstaDon and any other device provided
to you from the company. Unapproved so`ware that has not been fully veUed by authorized I.T. personnel and
can oèn contain dangerous or malicious code that’s extremely harmful to computers. Simply stated, only load
and use legally approved so`ware on computers.

Do not duplicate sobware. The licensing rights for so`ware are strict and extremely rigid, allowing only a
predetermined number of installaDons for a given data set. This means you are not allowed to copy or
duplicate any company approved and purchased so`ware – no excepDons. U.S copyright laws – and other
regulaDons throughout the world – oèn place strict guidelines on so`ware usage, so please keep this in mind.

Use cauDon on your own devices. When using your own personal workstaDon, laptop, or other device, please
consider and be mindful of the so`ware you install, especially when such compuDng systems are used for
potenDally accessing the corporate network. While the guidelines on so`ware for your personal computers are
less restricDve, we sDll ask that you use extreme cauDon when loading any type of applicaDon onto your
devices.

Accept updates. For so`ware to funcDon efficiently and safely, security and patch updates have to be applied
on a regular basis, so make sure to accept such updates when pushed out and also take Dme to update any
so`ware on your personal computers that do not rely on updates pushed out by I.T. personal.


Software Licensing and Usage

Downloading from the Internet. Any so`ware obtained from the Internet
is to be considered copyright protected, which means accepDng any
copyright agreements, and also comprehensively scanning the so`ware
for ensuring no dangerous or malicious code exists. The Internet can be
an extremely dangerous forum when it comes to so`ware as many
products seem harmless, only to contain viruses that can wreak havoc on
computers. Think before you start downloading any so`ware online.

Sobware audits. As an employee of the company, we have the right to
conduct random so`ware compliance audits on workstaDons, including
laptops issued to you, or your own personal laptops. The audits are for
ensuring compliance with so`ware licensing rules, while also ensuring
your computers are free of any potenDally dangerous applicaDons. If
you’re not sure what consDtutes approved so`ware, then simply ask
somebody.

PenalDes and fines. Did you know that we as a company and you as an
employee can actually be levied fines for improper so`ware use? Yes, it’s
that serious and it’s why we’re taking the Dme to discuss this important
issue with you. According to the U.S. Copyright Act, illegal reproducDon of
so`ware is subject to civil damages up to $150,000 (SecDon 504(c)(1) Title
17) per Dtle infringed, and criminal penalDes, including fines of as much as
$250,000 per Dtle infringed and imprisonment of up to ten (SecDon 2319
(b) (2) Title 18) years.

Internal Threats

Oèn the greatest enemy for any organizaDon is its very own
employees that undertake malicious acts that cause severe damage in
terms of security. From stealing files to accessing privileged and
sensiDve informaDon, insider threats are unfortunately on the rise. Yet
it’s more than just deliberate and fraudulent acDviDes that create so
many security challenges for businesses, it’s also unintenDonal acts,
such as opening virus infected aUachments, visiDng websites that
result in executables infecDng computers, and other unfortunate
pracDces by employees. Not knowing is just as bad as the deliberate
acts, at least in terms of consequences for the organizaDon, so keep
that in mind. What’s interesDng to note about insider threats are the
following:

• A negaDve event in the workplace triggered such an event.
• The malicious individual had planned the event in advance, but had
also been given prior disciplinary acDon for some other incident.
• The vast majority of events used simple tools, commands, etc., and
not elevated system administraDve privileges.
• A staDsDcally significant amount took place using remote access
protocols from outside of the organizaDon’s network, such as from
their home.


Internal Threats

A list of recent and notable insider incidents that caused severe damage to organizaDons consist of the
following:

•  Theb of highly sensiDve and confidenDal documents with the use of USB hard drives, which are easy to
obtain, conceal, and use.
•  Obtaining company trade secrets by accessing privileged folders in a cloud compuDng environment by a
vendor who had supposedly been removed from access.
•  Hundreds of checks forged for various amounts, ranging from $50 to $25,000, all from a company
checkbook that was thrown into a garbage dispenser outside of the company’s headquarters.
This list goes on and on, from deliberate acts to dangerous, unintended mishaps and acDons, internal threats
are everywhere. All employees have a responsibility to live and act by the moUo, “if you see something, say
something” -‐ and immediately. With that said, be alert and on the lookout for the following suspicious acDviDes
by others:
It’s about being alert and watchful, yet not
•  Mood swings, violent and/or aggressive acDons. paranoid as accusing somebody of a crime or
•  Sudden change in behavior, work ethic, morals, etc. incident they did not commit also has ramificaDons
•  Discussion of suicide, harming others, general for the organizaDon, and for you, so think first.
negaDvity, etc. Also be watchful of things that just don’t seem
•  CombaDve, argumentaDve, etc. right, such as a door ajar for no apparent reason,
•  Appearing intoxicated or using illegal substances. confidenDal documents placed in a public area,
•  Verbal and/or email threats towards others. smoke or other environmental factors you may be
•  Unexplained absence and tardiness at work. suspicious of. In summary, try and use your natural
•  Disregard for company rules and regulaDons. intuiDon in helping protect the organizaDon from a
•  Not being a “team player”, etc. growing list of serious internal threats.

Physical Security and Environmental Security

Physical security elements are safeguards enacted to ensure only
authorized individuals have access to various physical locaDons, such as
corporate faciliDes, data warehouses, computer operaDon centers, and
any other criDcal areas. AddiDonally, physical security also consists of
the various measures put in place for protecDng organizaDonal assets,
ranging from people, property, to any number of tangible goods,
services or products. And with many organizaDons today outsourcing
criDcal funcDons to data centers, managed services providers, and
document storage faciliDes -‐ just to name a select few -‐ physical security
has now become a criDcal component of one's risk assessment and risk
management framework. Knowing where your assets are and how they
are protected is paramount. But it's just as important to have physical
security controls in place at one's corporate office, satellite offices, and
any other important locaDons.

And another important component of physical security is the supporDng
environmental security controls in place. Specifically, environmental
security elements are the essenDal measures uDlized to protect physical
surroundings from damaging elements, such as fire, water, smoke,
electrical surges, spikes, and outages, along with any other hidden
dangers. Environmental safeguards are criDcal in that they -‐ along with
physical security, ensure the safety of the employees, company
property, and all other perDnent physical elements near the facility.

Physical Security and Environmental Security

AddiDonally, because of the numerous environmental threats that any facility may face, it's important to
both understand these threats and to have in place appropriate response mechanisms for such threats.
Environmental threats to be aware of include, but are not limited to, the following:

•  Fires, floods, earthquakes, prolonged extreme weather condiDons (both hot and cold), civil and social
unrest.
•  Air quality issues, such as asthma, metal poisoning, such as from led.
•  IrrigaDon and land degradaDon issues.
•  Land issues, such as urban sprawl or overpopulaDon.
•  Nuclear Issues.
•  Water polluDon and polluDon of other natural resources, along with resource depleDon.
•  Toxins and waste issues.
•  Proximity to any other facility or faciliDes that store, process or transmit any type of goods or services
that are deemed dangerous, combusDble, or otherwise hazardous.
•  Any other man-‐made or natural disaster that may pose a real and credible threat to the operaDons of
any such facility.

Incident Response

Data breaches, cyber security threats, and many other malicious exploits are challenging organizaDons like never
before, ulDmately requiring comprehensive security measure for helping ensure the confidenDality, integrity, and
availability (CIA) of one’s enDre informaDon systems landscape. Unfortunately, security breaches do happen -‐
even with the best controls in place -‐ thus the ability to respond swi`ly and effecDvely is a must for miDgaDng
any further damages. It’s the main reason why every organizaDon should have a well-‐defined and in-‐depth
incident response plan in place -‐ one complete with documented policies and procedures, along with essenDal
forms and templates to be used as necessary. Structured protocol is extremely important for incident response
iniDaDves as it achieves the following:

•  Responding immediately with best-‐of-‐breed informaDon security pracDces.
•  IsolaDng the affected systems as quickly as possible, helping minimize the threat to other criDcal system
components.
•  Helping minimize system downDme, while restoring criDcal infrastructure to full operaDonal capabiliDes as
quickly as possible.
•  Providing a “lessons learned” approach for every incident, regardless of size, scale, complexity, and severity.

Comprehensive incident response measures require parDcipaDon and involvement from everyone within the
organizaDon -‐ senior management all the way down to end-‐user of systems – and you – along with being aware
of the following core components of incident response:

•  PreparaDon •  CommunicaDon Remember, if you
•  DetecDon •  Post Incident AcDviDes and Awareness see something,
•  IniDal Response and Containment •  Training and TesDng say something -
•  Security Analysis | Recovery & Repair immediately!

Personally Identifiable Information (PII)

Personally IdenDfiable InformaDon (PII) has become a notable topic in
informaDon security as organizaDons are spending vast resources for
ensuring the safety and security of such informaDon, much of it revolving
around personal consumer financial and health data. With growing
cyber security threats and the ever-‐increasing numbers of data breaches
and security compromises, protecDng PII is now more important than
ever. With the widespread use of technology, PII is everywhere, being
stored, processed and transmiUed all over the globe, at levels of
efficiency once thought unimaginable. But with thousands -‐ and
counDng -‐ of PII breaches, organizaDons are finding themselves being
constantly challenged by malicious threats, lawsuits, regulators,
compliance auditors, and irate customers.

What exactly is PII -‐ according to the NaDonal InsDtute of Standards and
Technology (NIST) publicaDon SP 800-‐122, "Guide to ProtecDng the
ConfidenDality of Personally IdenDfiable InformaDon (PII), it is the
following:

"Any informa'on about an individual, including (1). any informa'on that
can be used to dis'nguish or trace an individual's iden'ty, such as name,
social security number, date and place of birth, mother's maiden name,
or biometric records; and (2) any other informa'on that is linked or
linkable to an individual, such as medical, educa'onal, financial, and
employment informa'on".


A more detailed lisDng of Personally IdenDfiable InformaDon is the following:

•  Full name, with all middle names (especially if the name is not common).
•  Any part of an individual's name that is stored or displayed in conjuncDon with any of the subsequent lisDngs of
data and informaDon deemed PII.
•  NaDonal IdenDficaDon informaDon, such as passports, visas, permanent residence cards, voDng informaDon,
social security number (United States), or any other type of unique idenDfier used on a naDonal level.
•  Local and/or state, provincial, etc. informaDon, such as drivers licenses, vehicle registraDon and permit
documents, or any other type of unique idenDfier used on a local and/or state, provincial level.
•  Digital IdenDfiers, such as IP addresses, usernames, passwords, etc.
•  Facial, fingerprint, iris and all other associated biometric informaDon.
•  Date of Birth
•  Place of Birth
•  Medical records (i.e. protected health informaDon (PHI) and electronically protected health informaDon (ePHI),
and all associated data and informaDon contained (electronically or hard-‐copy) with the medical records. Also,
geneDc informaDon, if applicable.
•  Criminal records
•  Financial and AccounDng records, such as banking, mortgage, revolving debt and tax informaDon, along with
credit and debit cards.
•  EducaDonal informaDon, such as classes taken, schedule, grades received, degrees confirmed, disciplinary
acDons, financial aid, student loans, etc.
•  Professional and occupaDonal informaDon, such as salary, tenure, etc.
•  Professional licenses, cerDficaDons, designaDons, etc.
•  Any other informaDon deemed PII, but not listed above


AddiDonally, the following laws, legislaDve mandates and industry specific direcDves require the protecDon of PII
at all Dmes, making the challenges even greater for organizaDons storing, using, and disclosing such informaDon:

•  The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rulings.
•  The Health InformaDon Technology for Economic and Clinical Health (HITECH) SubDtle D.
•  The Gramm-‐Leach-‐Bliley Act (GLBA).
•  The Family EducaDonal Rights and Privacy Act (FERPA).
•  Children's Online Privacy ProtecDon Act (COPPA).
•  Freedom of InformaDon Act (FOIA).
•  The Electronic CommunicaDons Privacy Act (ECPA).
•  Federal Trade Commission (FTC) Red Flag Rule (IdenDty Theb RegulaDon).
•  Payment Card Industry Data Security Standards (PCI DSS) regulaDon.
•  All other applicable local, state, and federal laws and legislaDon.
•  All other applicable industry direcDves.

Protected Health Information (PHI) | HIPAA

The ability to successful ensure the safety and security of PHI for your organizaDon is highly dependent upon
understanding what PHI is -‐ specifically -‐ what are common examples of this type of informaDon. PHI generally
consists of the following:

•  Names.
•  All geographical idenDfiers smaller than a state.
•  Dates that directly relate to an individual (other than year).
•  Phone Numbers.
•  Fax Numbers.
•  Email Addresses.
•  Social Security Numbers.
•  Medical Record Numbers.
•  Health Insurance Beneficiary Numbers.
•  Account Numbers.
•  CerDficate | License Numbers.
•  VIN, serial numbers, license plate numbers.
•  Device IdenDfiers and Serial Numbers.
•  Web Uniform Resource Locators (URLs)
•  Internet Protocol (IP) addresses.
•  Biometric IdenDfiers, such as finger, reDnal and voice.
•  Full Face Photograph Images
•  Any other unique idenDfying number, character, code, etc.
AddiDonally, Protected Health InformaDon (PHI) is actually a subset of Personally IdenDfiable InformaDon (PII),
which shares many similariDes towards each other as to the types of data and informaDon.
Protecting Information (Hard-Copy)

Call it PII or any other variant thereof -‐ highly confidenDal, sensiDve, restricted informaDon -‐ it all needs to be
protected at all Dmes, both physical hard-‐copy material and in electronic format. As for hard-‐copy documents,
even in today’s world the use of paper is sDll quite prevalent, thus protecDng paper records in the following
manner is a must:

•  First and foremost, avoid prinDng any documentaDon containing PII if you can. If that’s not possible, then limit
it to the extent possible. Remember, paper records should only be generated, used, and/or retained if there’s
a true legiDmate business need.
•  For paper records containing PII, assign tracking and logging mechanisms as necessary for ensuring its use and
whereabouts at any given Dme, along with assigning an approved data classificaDon level (i.e., sensiDve,
secret, etc.) for such material.
•  For paper records containing PII, they must be physically stored in a secure locaDon at all Dmes, such as locked
file cabinets, office desks, or any other acceptable measure for ensuring their safety and security from
unauthorized parDes.
•  When such records are no longer needed for business or compliance purposes (such as date retenDon laws,
etc.), they are to be shredded and documented accordingly. This means having secure shredding bins
strategically located throughout the facility, and it also means never throwing paper records containing PII -‐ or
any other sensiDve and confidenDal informaDon into a garbage can without being shredded.
•  Other acceptable means of destroying paper records containing PII may include, but are not limited to
shredding, burning, pulping, or pulverizing the records so that PII is rendered essenDally unreadable,
indecipherable, and otherwise cannot be reconstructed.
•  Do not allow paper records containing PII to be viewable or accessible in general commons areas, or in an
unsupervised fashion, such as residing on your desk or any other workstaDon | work areas while not being
present.

Protecting Information (Hard-Copy)

• The transporDng of paper records containing PII is to be limited to authorized personnel only at all Dmes.
• When transporDng paper records, please keep in mind the following best pracDces:
o  Keep informaDon close to you at all Dmes.

o  When unaUended, ensure informaDon is physically secure, such as in a locked file cabinet, safe, etc.
o  Keep informaDon away from public view as for not “broadcasDng” to the general public the
documentaDon in your possession.
o  Don’t transport other hazardous or dangerous items (i.e., chemicals, etc.) when transporDng PII.
• Implement physical access controls and other security safeguards for protecDng paper records containing PII at
all Dmes, such as the following:

o  Use electronic access control systems (ACS), such as badge readers, and applicable biometrics
idenDfiers.
o  Promptly remove all users from company-‐wide access to all system components and faciliDes upon
their terminaDon.
o  UDlize security cameras, alarms, and other physical security detecDve and preventaDve soluDons.
o  Include provisions for responding to issues and security breaches pertaining to paper records
containing PII.

• Be alert at all Dmes. If you see paper records being inappropriately handled, residing in insecure areas, le`
unaUended, have been stolen or compromised in any other way, etc., then say something and report the issue
immediately to authorized personnel. Security is everyone’s responsibility. AddiDonally, if you yourself have
knowingly lost or misplaced paper records containing PII, then report the issue immediately.

Protecting Information (Electronic Format)

As for protecDng PII in electronic format -‐ or any other informaDon
-‐ use your access rights granted to you specifically for legiDmate
business purposes, and nothing other. Logging into accounts with
other employee usernames and passwords is strictly prohibited -‐
remember -‐ access rights to your organizaDon's system
components is not a “right”, it’s an exclusive “privilege” granted to
select employees, so act accordingly and do not abuse such
privileges. More specifically, do not aUempt or try to access
informaDon for which you are explicitly unauthorized to do, and
do not engage in eavesdropping or snooping, such as looking up PII
on customers, other employees, etc. AddiDonally, when displaying
PII, never leave a workstaDon unaUended as this informaDon is
now readily exposed to other parDes. In short, treat someone’s
informaDon the same you would want your data treated -‐ with
respect, privacy and security.


Other important security awareness measures to incorporate for protecDng PII in electronic format -‐ and
implemenDng informaDon security best pracDces -‐ consist of the following:

EncrypDon. When sending, receiving, and accessing PII, it needs to be encrypted -‐ specifically -‐ protected by
unrecognizable data bits for ensuring its confidenDality and integrity. When sending PII via electronic mail
(email), always use encrypted email, and always request data being sent via encrypted email when receiving it.
AddiDonally, when accessing and transferring data, be sure to use encrypDon at all Dmes, such as making sure
your Internet browser shows HTTPS in the address. For example, hUps://www.acmebrickcompany.com is secure,
as the “s” means encrypDon is being uDlized, while hUp://www.acmebrickcompany.com is NOT secure, as there
is no “s” in the address. Just remember that the “s” stands for security.

Instant Messaging. A fun, easy, and commonly used plasorm for communicaDng and exchanging informaDon is
instant messaging (IM), for which there are many providers of this uDlity. Unfortunately, IM is not a secure
plasorm, is subject to “snooping” and “eavesdropping”, and as such, PII should never be sent or received on
these mediums -‐ no excepDons. AddiDonally, IM so`ware (the actual “plug ins”)

should never be loaded onto any desktops, laptops, or workstaDons containing PII, or for which PII can be
accessed from. Chaqng about anything deemed sensiDve and confidenDal to your organizaDon on IM plasorms
is strictly forbidden. Think before you send anything over IM. Using common sense is one of your best pracDces
regarding informaDon security.

Facsimile. Though slowly fading away as a communicaDon protocol, fax machines and the process of “faxing” is
sDll used by many companies, but it’s also a highly insecure plasorm, thus never send or receive PII over this
medium.


Removable storage devices. Devices that can be connected via USB ports, such as thumb drives, external hard
drive, and other removal storage and memory devices are to never contain any PII. Their small size, lack of
security (such as not having encrypDon) and the ease for which these devices may be obtained (conferences,
trade shows, etc.) deem them a high-‐risk item, especially with respect to PII. Stories abound on the Internet of
these devices being given to unsuspecDng patrons at various events only to find them riddled with malware upon
being inserted into a company owned computers.

Disposing of I.T. assets. Approved disposal techniques are always to be used when destroying computer
hardware and related assets. Sure, you can take a sledgehammer to a computer, effecDvely breaking it up into
many pieces, but that’s not necessary as the following disposal acDviDes work quite well:

•  Physical disintegraDon, especially for various types of opDcal media
•  Shredding (disk grinding device)
•  IncineraDon by a licensed incinerator
•  PulverizaDon
•  Degaussing, which is essenDally demagneDzing magneDc media
•  Secure-‐wipe programs

Remember also that sending a file containing sensiDve and confidenDal informaDon to the “trash” folder or
emptying your “recycle” bin on your computer is not in any way considered safe disposal of I.T. assets.

Data Retention

Understanding the company’s data retenDon and destrucDon policies is an important part of being a
responsible and knowledgeable employee. Because today’s ever-‐growing list of regulatory compliance laws,
legislaDon, regulaDons, and industry specific mandates require strict data retenDon procedures and pracDces,
you need to become well-‐versed on this criDcal topic. Aèr all, destroying records too early or keeping
excessive records on file for no apparent reason both have numerous disadvantages to the company. As for
the topic of data retenDon, look upon it as the following: data and records management for meeDng legal and
business data archival requirements regarding retenDon Dme, archival rules, data formats, and the permissible
means of storage, access, and encrypDon. The PCI DSS standards, along with HIPAA, and many other
legislaDve mandates all have guidelines on data retenDon – and destrucDon -‐ it’s therefore important to
communicate with senior management and other authorized personnel for ensuring you have a strong
understanding of the company’s data retenDon and destrucDon program. That means asking for a copy of the
data retenDon and destrucDon policy, thoroughly reading it, and knowing what the rules are. AddiDonally,
please consider the following general guidelines, Dps, and recommendaDons:

•  It’s everyone’s responsibility. While you as an employee may not be directly responsible for data retenDon
and destrucDon procedures – that’s generally the requirement of I.T. personnel – you need to be aware of
instances of non-‐compliance by other employees and other policy violaDons. DeleDng, purging and
destroying electronic records and/or hard copy data that shouldn’t be is a violaDon, so reports such issues
immediately. AddiDonally, if you noDce boxes filling up in a storage facility that are years old, say
something, and bring aUenDon to it. Everyone has a responsibility when it comes to data retenDon and
destrucDon.


Data Retention

• Follow the policy. Sounds easy, yet instances of policy violaDons
are one of the biggest issues for companies today. Don’t create
problems for yourself, follow the date retenDon and destrucDon
policy – aèr all – it’s been wriUen for a specific reason and tailored
to the company’s specific needs.
• Use a shredder. A big challenge in data destrucDon is making sure
all employees use an actual shredder, or that very least, dispose of
hard copy, paper based documents into a designated, secured bin,
one ulDmately used for shredding documents. That means never
throwing business documents into a general trash can, such as the
one directly under your workstaDon, in a commons area (i.e., break
room, bathroom, etc.) or any other unsafe bin. How many Dmes
have you heard on the news of “dumpster divers” finding highly
sensiDve and confidenDal documents that companies have
carelessly thrown away, such as blank check stock, contractual
agreements, and other privileged informaDon? It happens,
unfortunately, but let’s work to make sure it doesn’t happen at this
company!


Identity Theft

No security awareness training would be considered complete without covering the essenDal topic of idenDty
the`, which is one of the fastest growing crimes today. Advances in technology, though plenDful with benefits,
also leave everyone vulnerable to malicious individuals. IdenDty the`, according to United States Federal Trade
Commission (`v.gov) is when someone steals your personal informaDon and uses it without your permission.
Three (3) important aspects worth discussion on idenDfy the` are (1). Looking for signs it has actually occurred.
(2). ProtecDve measures to undertake. (3). What to do if you’re a vicDm.

As for watchful signs, consider the following to be possible indicators of idenDty the` -‐ remember -‐ the earlier it’s
caught, the great the chances of minimizing the damages to you and your family:

• The type of mail you are receiving changes or you stop geyng certain bills or other items. Many Dmes,
fraudsters actually change somebody’s mailing address, forwarding to another locaDon.
• You receive a statement for a credit card or some other type of purchase you never made.
• Money is withdrawn from your bank account for unknown charges.
• You receive calls from debt collecDon agencies for debts unknown to you.
• You receive bills from medical services performed that you are unaware of. (Health care fraud is rampant).
• Upon examining your credit report, you find unfamiliar accounts.
• You encounter discrepancies with the Internal Revenue Service (IRS) and your annual tax filings. Fraudsters
oben steal someone’s social security number for purposes of employment -‐ especially if they are illegal -‐
recording earned wages on your social security number.
• You’ve been noDfied that a data breach has occurred and your personal informaDon has been compromised.
• 

Identity Theft

Let’s discuss some protecDve measure to take against idenDty the`, which consist of the following:

•  Always keep sensiDve and confidenDal informaDon physically secure, such as in locked files, cabinets, safe,
etc. When you have friends, relaDve, guests over, be sure to put personal documentaDon away and not
viewable by anyone.
•  Limit what you carry in your wallet and purse to just the minimum -‐ credit card or two, driver’s license,
important health care informaDon, etc.
•  Always ask “why”. More specifically, if somebody asks for your personal informaDon (date of birth, social
security number, etc.) always politely ask why they need it, how it will be used, where will it be stored, etc.
•  Shred documents such as receipts, financial account statements, along with peeling off labels from
prescripDon bo_les before discarding of them.
•  Put outgoing mail in secure drop faciliDes, such as the actual U.S. post office. If you don’t trust your own
outgoing mail at your business or residence, don’t use it.
•  Try and limit providing your home address and strive to use an actual Post Office box address or a mail drop
address when possible. The more thieves know about you (such as where you actually live), the greater
their chances of striking again.

If you’ve unfortunately become a vicDm of idenDty the`, it’s Dme to act quickly for protecDng yourself, which
means cancelling credit cards and contacDng all financial insDtuDons and alerDng them. What’s extremely
important is to begin communicaDng and wriDng leUers to various organizaDons, such as credit reporDng
bureaus and businesses, for which the Federal Trade Commission (`v.gov) provides a number of sample idenDty
the` leUers to use.
• 

Online Security and Mobile Computing

Security awareness is also about understanding
today’s ever-‐growing online threats, many of which
can result in serious security issues for your
organizaDon along with idenDfy the` for yourself.
We all spend large amounts of Dme online, for both
professional and personal reason -‐ using laptops
and portable devices, so it’s important to take note
of the following Dps:

Trust, but verify. It essenDally means knowing who
is requesDng or asking for any type of informaDon
from you, from highly sensiDve and confidenDal
customer informaDon to your own personal
informaDon. Social engineering -‐ tacDcs used to
gain access and steal valuable assets -‐ is on the rise,
so be watchful and mindful at all Dmes.

Enable security. This means making sure that you have anD-‐virus on whatever computer being used to access the
Internet, and possibly even using what's known as a personal firewall, which comes standard with many operaDng
systems, especially the Microso` Windows operaDng systems. It also means using a username and password for
protecDng the contents on your laptop should it ever be lost, stolen, or misplaced.

Protect your physical assets. This means not leaving your laptop, PDA, tablet, etc. unaUended for any Dme
period. Going to the bathroom at the coffee house while leaving your notebook alone is not wise. For company-‐
owned laptops, verify with your I.T. department that the serial number has indeed been recorded. For your own
personal laptop, record the serial number also.

Clear out browser sessions. It's a good idea to periodically clean out your browser history for ensuring no pre-‐
populated usernames and passwords exist especially on non-‐company owned desktops, laptops, and
workstaDons. As for usernames and passwords, keep them secure (which is in your head!) and nowhere else.
This means a clean desktop work policy, one that does not contain notes lying around with online login
informaDon.

Be mindful on social media sites. You work for your organizaDon, which means you represent it in everything
you do, both inside and outside the walls of these faciliDes. As such, be cognizant of informaDon posted and
please strive to use a professional tone and dialect at all Dmes, even with your friends, family members, co-‐
workers, and other online parDcipants users you are engaging with. Just remember to ask yourself the following
quesDon: “Does the pos'ng or uploading of content to any of my personal social media resources disclose any
“sensi've informa'on” related to my company, or does it in any way impact the safety and security of my
organiza'on? Remember to think before you post.


Wireless Access Points. Though they're free and easy to connect to, wireless access points can be extremely
problemaDc in terms of security issues, so take note of the following precauDons:

•  Turn off your actual wireless connecDvity when not in use.
•  Connect only to trusted Wi-‐Fi "hotspots", thus if you aren't sure about a network that's being
broadcasted, ask! If it seems suspicious, then do not connect -‐ most Internet sessions can wait!
•  Do not use wireless access points for conducDng business acDviDes, unless you have approved VPN
and secure, remote access sobware on your laptop.

Protect wireless handheld devices. The conDnued growth and use of small, mobile devices capable of sending,
receiving and storing informaDon -‐ though highly efficient -‐ also requires puqng in place protecDve measure,
such as the following:

•  Use PIN and/or password security parameters for accessing and unlocking your phone, as this is
criDcal if it's ever lost, stolen or misplaced.
•  When disposing of any wireless handheld devices, ensure that all sensiDve and confidenDal data
has been removed, such as with a secure wipe program


Shopping Online

Shopping online is one of the greatest benefits offered by informaDon
technology, as just a click-‐of-‐the mouse lets you buy almost anything
imaginable. Yet with most luxuries in life, such benefits also have significant
risks, and protecDng your personal consumer informaDon -‐ and company
informaDon -‐ is always a top priority when shopping online. Please take
some Dme to learn about the following safe shopping Dps and habits:

Use only known and trusted merchants. That means staying away from
websites that simply don't look or feel safe -‐ and they may not be -‐ so sDck to
your known stores, and the ones that everyone uses for purchasing products
and services. Remember, when purchasing something online; always look
for the "s" in the "hUps" part of the browser as "s" stands for security! So
beware the bargain hunDng tacDcs and the inclinaDon to use unknown
sources for online purchases -‐ it's just not worth it.

Do not provide personal informaDon. There's absolutely no reason for a
merchant to be asking for highly sensiDve and confidenDal informaDon. It is
one thing to enter personal credenDals on an online banking session, but not
when purchasing something online. If it seems suspicious -‐ it probably is -‐ so
report it immediately to any number of helpful resources provided in this
training manual. You can always take a few minutes and read the privacy
policy at the boUom of a website, and if they don't have one, then it's not a
place you'll want to do business with.

Shopping Online

Be mindful of pop-‐ups, banner adverDsements and other solicitaDons. Oèn when browsing the Internet and
searching for products to buy, you'll receive annoying ads or possibly even receive suspicious emails for a "must-‐
have" product. While many of these solicitaDons are legiDmate -‐ and legal -‐ some aren't, so use cauDon at all
Dme.

Opt out of communicaDon. Want to greatly reduce email span and junk, then make sure to "opt-‐out" of any
further emails and communicaDons from merchants unless you really feel compelled to receive such
informaDon.

Bad links are everywhere. Be mindful of any links that ask to "click here", "download now" or any other
aggressive tacDc as they may be nothing more than malicious so`ware trying to insert dangerous code onto your
computer.

Use a credit card not a DEBIT card. Debit cards are unfortunately Ded directly to your personal bank accounts,
meaning once a fraudster has your debit card number, it's only a maUer of Dme before they can literally wipe out
your checking account. Use a credit card, which essenDally places a limit (usually $50 or lower) that you're
responsible for regarding card the`. AddiDonally, alternaDve methods of payment, such as paypal.com, are
available whereby consumers don't provide any confidenDal credit or debit card informaDon to a merchant.
Paypal.com is an excellent payment choice, when it's available, and many large online retailers are incorporaDng
it into their shopping cart checkout opDons for paying.

Trust your insDncts. Online shopping is just like any other topic in security awareness -‐ trust your insDncts and
you should be fine. It the site looks suspicious, it probably is, so stay away from it and move onto to another
reputable website.

Securing Your Home Network

Many employees work from home, which means
they store, process, and transmit sensiDve and
confidenDal company informaDon over their
personal networks, which can pose significant
security risks. Let’s take a look at some best
pracDces for securing your home network.

Use AnD-‐virus. Whatever computer you are using
on your home network, it needs to have current,
updated anD-‐virus on it. This is one of the most
fundamentally important -‐ and easy to implement -‐
security safeguards as it protects your computer
from malware and other malicious exploits.

Use strong passwords. Whatever you are doing
online, it's a good idea to use very strong password,
those that contain a mixture of leUers, numbers,
and symbols. This applies to your actual computer
for which you're logging onto. Remember, home
means "home", where children and spouses have
access to your items, so protecDng them from
misuse is important.


Use a personal firewall. A personal firewall is an extra layer of added protecDon for helping protect your home
network in the following manner:

•  Protects the user from unwanted incoming connecDon a_empts, ulDmately allowing the user to control
which programs can and cannot access the Internet.
•  Blocks and/or alerts a user about outgoing connecDon a_empts
•  Monitors and regulates all incoming and outgoing Internet users

There are a number of commercially developed so`ware programs you can install to act as a personal firewall, yet
you can also use the Windows personal firewalls so`ware from Microso`, which is highly effecDve. As for Apple,
their Mac books also have a built-‐in personal firewall opDon, which should also be used.

Be cauDous online. Remember that working from home means you're accessing your organizaDon's informaDon,
so be smart about what websites you're visiDng, informaDon you are downloading, etc. Being cauDous and having
a "security first" mindset is a must at all Dmes.

Change your WI-‐FI broadcast. Known technically as an SSID, it's the wireless (if you are in fact using wireless)
network you connect to. Make sure to change the default SSID to something more unique. SSID's that are le`
with their default names oèn are an indicator to hackers that the passwords are also sDll the same default that
was shipped with the devices. Thus, change both the default SSID and the default password. Your router is the
bridge to the Internet, so protect it by removing many of the default seqngs.


Enable MAC filtering. AddiDonally, you want to allow wireless
access only to trusted laptops, by allowing wireless connecDons
only to known MAC address. MAC (Media Access Control) address
is a unique idenDfier aUached to most network adapters -‐ which, in
this case -‐ would be the unique idenDfier of your laptop wireless
adapter.

Change default wireless access to your router. The default
password for wireless web access is essenDally the same for the
specified model of a wireless router assigned by the manufacturer,
thus it's important to change default password of the wireless
router web access immediately.

Protecting Your Children Online
One of the most important security awareness iniDaDves for all individuals is protecDng what’s arguably the most
important asset of all – your children. Being online for kids can be fun-‐filled, highly entertaining and extremely
educaDonal, yet also very dangerous with predators lurking at every click-‐of-‐the mouse. As responsible parents,
ensuring the safety and security of your children is the first and most important task, and it starts with being aware
of the dangers and pisalls of the Internet. Listed below are helpful suggesDons and Dps all parents should be
aware of when it comes to their children’s online acDviDes. Remember – if you see something, say something, and
act immediately, especially when it concerns the safety and security of children.

Limit Internet access. Sure, all kids want to be online at all hours of the day – that’s understandable – yet it’s
important to set rules and boundaries on Internet usage, which means not puqng a computer in a child’s room
whereby they have unrestricted access, 24 hours a day, 7 days a week. Schedule and agree on Dmes and limits for
online usage.

InsDll Rules. Create a list of rules for you and your children to readily agree to, such as the Dmes and hours they’re
allowed to access the Internet – more specifically – what websites they are allowed to visit, the type of content
allowed to post, etc.

Educate. We live in dangerous world – unfortunately – one filled with sexual predators and online thieves seeking
to steal your personal informaDon at any given Dme. Because of this, it’s important to educate your children about
the dangers of the Internet, common scams they may encounter, and what to do if they see something that’s
suspicious. Children are smart – much more than we give them credit for – so spend Dme educaDng them on
important Internet issues – you’ll be surprised at how quick they pick it up and “get it”.


Trust, but verify. Encourage your children to use cauDon at all Dmes, insDlling what’s commonly known as the
“stranger danger” concept – keeping everyone at a distance and not trusDng anyone they don’t know. Tell your
children to act in the same manner online, trusDng only their close circle of friends.

Don’t disclose private informaDon. Sexual predators and other malicious individuals are quite adept at social
engineering – gaining the trust of children for purposes of obtaining personal informaDon. Train your kids to never
give out personal informaDon, such as their full name, home address – anything that can clearly idenDfy them and
allow somebody to find them in person.

MeeDng people in person. It’s very important to teach your children of the dangers of meeDng somebody in
person that they’ve met online. Though many Dmes the encounter is probably safe, sexual predators oèn
disguise themselves as young children online, building trusted relaDonships with innocent children who
unfortunately become vicDms.

Make a list. Instruct your children to make a complete list of all accounts, friends, and websites they interact with
while online. EssenDally, you’re looking to gain a stronger understanding of the “who, what, when, where, and
why” of your children’s online acDviDes. The more you know, the safer your children will be as knowledge is
power.

Encourage family Internet Dme. That means siqng with your children and interacDng with them while they “surf”
the Internet, but not in a manner that’s intrusive and mandatory – rather – one that seeks to indirectly monitor
and reassure yourself of your children’s browsing acDviDes.

View Internet history. Aèr each session – and unDl you feel
comfortable as a parent – review the web browser history of your
child’s online acDviDes, looking for any suspicious websites or
communicaDon from quesDonable people.

Set browsing limits. This means installing a browser-‐safe uDlity for
children along with placing Internet Protocol (IP) restricDons in
place that block the viewing of quesDonable sites. Kids are curious
– very curious – all it takes is a wrong click-‐of-‐the-‐mouse and
they’re at a website they have no business being on.

Search for helpful tools. There are numerous organizaDons online
providing support, along with a laundry list of so`ware applicaDon
and protocols, such as kid friendly search engine websites, parental
control apps, pre-‐filtered ISP seqngs for your home computer,
event monitoring and tracking tools, etc.

Be diligent, but also respect privacy. You want to protect your
children online – no quesDon about it – but don’t be overzealous –
give your children a certain amount of privacy and respect online,
and they in turn will follow your guidance when it comes to Interne
usage. CreaDng a certain level of balance and respect is the key to
forming good online habits for children.

Security Tips for Travelling

Travelling, both abroad, or just naDonally, can be extremely
stressful with today’s ever-‐growing terror threats and other
malicious acts being undertaken by dangerous individuals. It’s
important to be alert and aware of your surroundings at all Dmes,
taking the necessary precauDons for ensuring your safety and
security, while also making travel a pleasurable experience. Please
take note of the following security trips when travelling:

Pre-‐plan. Though it sounds academic, having an essenDal checklist
of items is a really good idea, especially if you’re travelling abroad
and for an extended period of Dme. Being overly cauDous is never a
bad thing – aèr all – once you’ve forgoUen something – you’ll
either have to spend considerable amount of money replacing it
while afar. Many websites on the Internet have helpful travel
checklists, so use them to your advantage.

Familiarize yourself with new surroundings.
Get to know where you’re going, and that means idenDfying local
police
s taDons, y our e mbassy ( criDcally i mportant!), restaurants, and other venues as necessary. Walking around
with the look of being hopelessly lost only invite thieves to prey upon you.

Consider Travel Insurance. A relaDvely inexpensive, yet valuable purchase is travel insurance, for travelling both
abroad and naDonally. From obtaining full reimbursements for airplane Dckets to having items stolen in a foreign
country replaced at equal or greater value, there’s insurance readily available for any type of scenario, so
consider such a purchase.


Use a money pouch, traveler’s checks, pre-‐paid or credit cards. Traveler’s checks are sDll available for use,
along with other protecDve measures, such as pre-‐paid bank cards, or region specific credit cards. You can also
obtain a money pouch which sits snugly around your waist, effecDvely eliminaDng pick pockeDng from thieves.
Try and limit using your debit card as this is oèn Ded directly to your personal bank account.

Carry essenDal documentaDon. Pre-‐planning also means making sure you’ve got valid idenDficaDon for
travelling, which may be nothing more than a standard driver’s license, but oèn Dmes includes essenDal
passport and visa documentaDon for overseas travel. Carrying essenDal documentaDon also means flight
iDneraries, boarding slips, direcDons to wherever you’re going once you get there, and other essenDal material.

Do not leave personal items una_ended. From arriving to the airport to waiDng for a taxi or relaxing at a hotel
lounge, never leave personal items unaUended as there are malicious individuals always preying on travelers.
Remember to be alert and be aware of your surroundings at all Dmes. AddiDonally, when leaving your locale,
such as the hotel or wherever your final desDnaDon may be, do not take with you highly sensiDve items, such as
your passport – leave these documents in a safe repository at the hotel, such as a room safe. BeUer yet, hide
your documents within the room, such as between the maUresses, behind the dresser, etc. You can never be
too cauDous when protecDng highly sensiDve documents.

Be mindful of who you speak with. Asking strangers for direcDons, recommendaDons on dining, or for any
other informaDon should be avoided at all Dmes. It’s because many thieves and other malicious individuals
oèn prey on unsuspecDng travelers and tourists. With that said, converse with people that you have a
stronger sense of security with, such as hotel workers, business and personal associates with whom you’re with.
AddiDonally, never share confidenDal informaDon with strangers, such as your hotel room, cell phone, etc.



Blend in, don’t stand out. It’s best to keep a low profile, especially when travelling abroad, and that means
leaving the flashy, gliUery jewelry and expensive clothes at home. Blending in is one of the very best security
measures you can take, so keep this in mind.

Take protect measures. When travelling abroad, check with the Centers for Disease Control and PrevenDon
(CDC) about any significant and dangerous health condiDons to the region you’re visiDng. Also, when abroad -‐
an even when travelling within a certain region -‐ avoid geqng into cars that are not marked as designated taxis,
avoid places at night that are not well-‐lit, and avoid being alone -‐ remember -‐ there’s security and safety in
numbers, so sDck to a group when at all Dmes possible.

Protect company property at all Dmes. If you have company property with you, such as a laptop, hard-‐copy
documents, or any other essenDal organizaDonal assets, protect them at all Dmes. This means never leaving
such items unaUended along with never allowing anybody but you to physically have possession of company
property. Use your intuiDon and be smart!


Other Important Security Awareness Considerations and Top Internet Scams

Security awareness is "the knowledge and aqtude members of an organizaDon possess regarding the
protecDon of the physical and especially, informaDon assets of that organizaDon". Source: Wikipedia. More
specifically, security awareness is also about being aware of the growing fraudulent schemes being used against
both organizaDons and individuals by malicious persons trying to extort funds along with obtaining highly
sensiDve and confidenDal informaDon. It's a broad subject indeed, which means there's sDll more to learn, so
let's discuss many other security awareness topics you need to know about.

Social Engineering. DecepDve tacDcs used by somebody for purposes of obtaining something or gaining access
(both physically and logically speaking) to something for which they are unauthorized to do. Social engineering
relies heavily on human interacDon and building the trust of those for which somebody wants to deceive. For
example, a fired employee may try and access his or her previous employment by tricking security guards,
recepDonists, or other personnel with common socially engineered tacDcs, such as “I forgot my access badge,
can you let me in”, etc. The trust factor is the most important component of what allows social engineering
pracDces to be successful.

Social engineering tacDcs are long and varied, including the following pracDces: 1. Using alcohol. 2. Sex. 3.
Piggybacking (following somebody into a building). 4. Phishing (tricking somebody into clicking on a link of what
they think is an actual legiDmate website). 5. Psychology (Using the power of the mind to trick somebody). 6.
Tech Talk (convincing someone to divulge informaDon based on your technology experDse, such as pretending
to be an I.T. administrator at a company). 7. Social Network Engineering (finding out informaDon online based
on social network interacDons with someone). With so many ways to “trick” and deceive people, it’s important
to be on the lookout for some of these examples, so if something looks suspicious, report it. Remember also to
never give out sensiDve and confidenDal informaDon to anyone unless there’s a legiDmate reason -‐ trust, but
verify.


Other
Important Security Awareness Considerations and Top Internet Scams
VicDm Relief Scams. We as a society liked to be perceived as
caring, giving, and helpful individuals -‐ people willing to open
their hearts and wallets to those in need. Every Dme a major
environmental disaster or unfortunate terror act happens, we’re
there, ready and willing to help. Unfortunately, so are the
scammers, who deploy numerous tacDcs with today’s endless list
of technology plasorms. From phony websites to fraudulent
mailings, the world is full of scam arDsts working hard to take
your money. With so many excellent volunteer organizaDons
and non-‐profit agencies around, your money can find a good
place, just not with the scammers. When receiving emails asking
for donaDons, banner adverDsements soliciDng funds, do a liUle
due diligence for making sure the organizaDon is legiDmate -‐
there’s nothing wrong with being giving, just don’t be a vicDm.
Remember these helpful Dps:

•  Do not respond to unsolicited incoming email or their associated links.
•  Be skepDcal of people claiming to be vicDms or their relaDves. Aber Katrina, dozens of individuals were
indicted for falsely collecDng donaDons.
•  Go to trusted websites to make donaDons.
•  Verify the legiDmacy of organizaDon requesDng funds -‐ do a li_le homework.
•  Make contribuDons directly to known organizaDons rather than going through third parDes
•  Be careful about giving out your personal or financial informaDon to anyone soliciDng contribuDons.

Other
Pyramid Schemes. Pyramid schemes are markeDng and investment frauds in which an individual is offered a
distributorship or franchise to market a parDcular product. Because the goal in a pyramid scheme is to sell the
distributorship or franchise, and not the actual product, it creates an unaUainable business model where no sales
efforts or strategies have been given to a product (if there ever was one). The end result is a glut of investors, and
the scheme unfolds. Investors are told, however, that they can recoup their iniDal investment and generate
addiDonal revenue streams for themselves by bringing in new members. The pyramid scheme is simply not
mathemaDcally feasible for any viable business model.

Ponzi Schemes. A Ponzi scheme is a fraudulent investment operaDon that pays returns to separate investors from
their own money or money paid by subsequent investors, rather than from any actual profit earned. The Ponzi
scheme usually enDces new investors by offering returns other investments cannot guarantee in the form of short-‐
term returns that are either abnormally high or unusually consistent. The perpetuaDon of the returns that a Ponzi
scheme adverDses and pays requires an ever-‐increasing flow of investors’ money to keep the scheme going. This
type of scheme is named aèr Charles Ponzi, who operated an aUracDve investment ploy in which he guaranteed
investors a significant return on their investment in postal coupons. The ruse dissolved when he was unable to pay
investors who entered the scheme later.

Le_er of Credit Fraud. LeUer of Credit frauds are oèn aUempted against banks by providing false documentaDon
to document the shipment of goods when, in fact, no goods or inferior goods were shipped. AddiDonal LeUer of
Credit frauds occur when fraudsters offer a “leUer of credit” or “bank guarantee” as an investment, whereby an
investor is promised significant interest rates.


Other
Health Insurance Fraud. The health insurance industry is a large, complex and ever-‐growing sector of any
naDon’s economy. Fraud in this specific industry is rampant, with all parDcipants ranging from primary care
physicians to large medical insurance providers being affected. Common health insurance fraud schemes include,
but are not limited to the following:

• Medicare and Medicaid billing fraud
• Healthcare prescripDon fraud
• Invoice and billing schemes, geared primarily toward small and medium healthcare pracDDoners
• Medical equipment fraud
• Personal healthcare idenDty fraud, such as fraudsters stealing and using individuals’ healthcare informaDon
for personal gain
• FicDDous health insurance providers selling policies with no intent to ever pay

Credit Card Fraud. Credit card fraud is one of the fastest growing crimes today. Almost everyone, at some point
in their lives, will become a vicDm of it. Credit card fraud involves a variety of schemes, ranging from stealing the
actual card numbers from any number of sources (trash, computer databases, etc.) to opening fraudulent card
accounts with somebody’s informaDon. Credit card fraud has recently made naDonal news with breaches in large
organizaDons that resulted in the the` of tens of millions of accounts. The Payment Card Industry Security
Standards Council is one of the many associaDons that helps secure cardholder data with a series of assessment
requirements.


Other
OccupaDonal Fraud. A serious fraud threat, occupaDonal fraud involves using one’s occupaDon for enrichment
through the deliberate misuse or misapplicaDon of a company’s resources and/or assets. This type of fraud
involves a number of common schemes such as skimming, cash larceny, bribery, conflicts of interest and
fraudulent financial reporDng. When most organizaDons speak of fraud, they are specifically referring to
occupaDonal fraud.

Invoice and Billing Fraud. Another common fraudulent act that has vicDmized numerous businesses is invoice
and billing fraud. In these schemes, a fraudster develops a ficDDous enDty, produces invoices for that enDty, then
sends out the invoices either electronically or by mail to individuals and/or organizaDons within a specified
geographic area. The amount invoiced is trivial; thus the scheme depends on a high number of vicDms making
the desired payments. These schemes can range from any number of products or services—such as office
supplies, books and study aid material—to donaDons, and even to ficDDous chariDes. Many Dmes, however, this
type of fraudulent acDvity begins within an organizaDon, as a dishonest employee may collude with another
party or simply run the enDre scheme by his or herself.

IdenDty Fraud. IdenDty fraud and the`, commonly known as idenDty the`, is defined as the unlawful change of
idenDty. This form of fraud is characterized by the illicit use of another’s idenDty—exisDng or not—as a target or
principal tool, typically for personal or financial gain.

Unfortunately, this is one of the most common fraudulent acts being commiUed today. As we move toward a
more transparent society that is increasingly dependent on technology and ease-‐of-‐use, one’s personal
idenDficaDon can be exposed through many channels. It is almost impossible to fully protect your personal
idenDty, due in large part to the wide variety of data rich sources available to fraudsters.


Other
TelemarkeDng Fraud. TelemarkeDng fraud is a fraudulent acDvity consisDng of selling or promoDng a pseudo-‐
product over the telephone. Common examples of telemarkeDng fraud include, but are limited to the following:

• Advance fee fraud (claiming that the vicDm will receive some sort of prize)
• Pyramid schemes and other misrepresented investments or business opportuniDes
• Overpayment fraud
• Charity fraud

Financial Correspondence Fraud (Nigeria) and Advanced Fee Fraud (AFF). Nigerian leUer fraud is essenDally an
Advanced Fee Fraud (AFF) scheme whereby a fraudster will communicate from the country of Nigeria (via mail or
email) to another overseas individual and will offer that individual an opportunity to parDcipate in the sharing of a
large sum of money. The individual in Nigeria will request personal data such as banking and other financial
informaDon along with sending actual money to the fraudster. It may seem like a farfetched scheme to many
individuals, but surprisingly, it conDnues to be a growing problem. The ploy has been dubbed “419 Fraud,” named
aèr SecDon 419 of the Nigerian Criminal Code. Advanced Fee Fraud (AFF) is not just limited to Nigeria, as a
number of other fraudsters around the world have also employed these schemes. As such, AFF can be best defined
as the following: when a vicDm is persuaded to advance sums of money in the hope of realizing a significantly
larger gain.

Bid Rigging. Bid rigging is a form of fraud in which a contract is promised to one party even though numerous
other parDes have also presented a bid. There are also addiDonal components to bid rigging, such as bid
suppression and bid rotaDon. They all involve an element of collusion and are illegal in most countries.


Other
Phishing. Phishing is the process of acquiring or aUempDng to acquire sensiDve informaDon by masquerading as
a trustworthy enDty in an electronic communicaDon in order to deceive Internet users into disclosing their bank
and financial account informaDon or other personal data such as usernames and passwords. The “phishers” then
take that informaDon and use it for criminal purposes such as idenDty the` and fraud.

Cashier’s Check Fraud. There are many variaDons of cashier’s check fraud, ranging from falsified cashier’s checks
to schemes from foreign enDDes requiring you to wire them money on the difference between the amount on a
cashier’s check and the item sold.

Debt EliminaDon Fraud. There are scores of companies promoDng debt eliminaDon and consolidaDon services to
consumers and businesses alike. The problem is that they are using techniques that do not work, are illegal, or
cause your credit and financial situaDon to deteriorate. Many consumers have been vicDms of the bogus
schemes, losing thousands of dollars and gaining nothing in return.

Work-‐at-‐Home Employment Schemes. From envelope stuffing to mulD-‐level markeDng, the work-‐at-‐home
scams are plenDful indeed. What is ironic about many of them is that they are simply an extension of the
scammers themselves. That is, you may potenDally be colluding with one of them. Most work-‐at-‐home schemes
try to sell you “starter” packages to begin a business, ask you to call a 900-‐number to request more informaDon,
or engage in some other type of quesDonable acDvity. Learn more about these scams here.


Other
Tax Fraud. An all-‐too-‐common fraud scheme is tax fraud, which comes in the form of tax avoidance, tax evasion
and falsifying tax filings, just to name a few. Tax fraud is a growing problem that can be difficult to detect and
prevent, and unfortunately, the burden is divided amongst those who do not commit this serious crime. Common
fraudulent tax schemes include the following:

•  Claiming false deducDons
•  Concealing income and not reporDng (underreporDng) it on one’s tax returns
•  Over-‐reporDng the amount of one’s deducDons
•  Engaging in foreign and/or offshore tax schemes

SecuriDes Fraud. SecuriDes fraud, also known as stock fraud and investment fraud, is a pracDce that induces
investors to make purchase or sale decisions on the basis of false informaDon. This form of fraud is in violaDon of
the securiDes laws, and it frequently results in financial losses. SecuriDes fraud consists of decepDve pracDces in
the stock and commodity markets, and it occurs when investors are enDced to part with their money based on
untrue statements. SecuriDes fraud includes outright the` from investors and misstatements on a public
company's financial reports. The term also encompasses a wide range of other acDons such as insider trading and
other illegal acts of a stock or commodity exchange. According to the FBI, securiDes fraud includes entering false
informaDon on a company's financial statement and SecuriDes and Exchange Commission (SEC) filings, lying to
corporate auditors, insider trading, various stock schemes and embezzlement.


Other
You are a Constant Target. It’s unfortunate, but true -‐
you are a constant target and will forever be one in
today’s world of growing cyber security threats, social
engineering tacDcs, and many other malicious pracDces.
While informaDon technology has afforded society with
many great benefits, along with it comes risks, pisalls, and
challenges -‐ most centering around trying to protect
highly sensiDve and confidenDal informaDon. It’s a never-‐
ending baUle, one that requires constant vigilance and a
watchful eye from you, when at work and outside the
office. From logging onto your computer each to buying
lunch with your credit card, be alert, aware, and be on the
lookout for suspicious pracDces. Security for the company
is everyone’s responsibility -‐ security for you is your
responsibility, so let’s do it together!

The examples above are some of the most common
fraudulent schemes that employees of your organizaDon
should be aware of. Unfortunately, this is just a small
sample of a larger and ever-‐growing problem facing
businesses today.


If you see something, say something – Immediately
As an employee, you have a unique responsibility in helping
protect the safety and security of criDcal organizaDonal assets,
which means if you see something, say something -‐ immediately.
You have a job to do -‐ and you do it well -‐ yet be mindful of
things that seem odd, suspicious, out of place, or just don’t seem
right. From seeing a door ajar that shouldn’t be to witnessing a
verbal confrontaDon amongst other employees, it’s your
responsibility to take appropriate acDon as necessary. As
ciDzens of today’s ever-‐growing and complex society, we’ve all
seen the enormous benefits -‐ and challenges -‐ presented by
informaDon technology, so keep a watchful eye for helping
protect the company, but also you, your family, other loved
ones, and your personal assets. We’d like to thank the
Department of Homeland Security’s (DHS) moUo of “if you see
something, say something”, as it’s a statement we should all
entrust.

111
Top 20 Security Considerations for I.T. personnel

While it’s important to focus on many of the basic elements of good security awareness pracDces for all
employees within the company, I.T. personnel should also undertake iniDaDves for ensuring they’re
implemenDng best pracDces at all Dmes regarding informaDon security. Sure, I.T. professionals are talented,
well-‐skilled employees, and extremely knowledgeable when it comes to ensuring the safety and security of
criDcal system components, yet they can sDll benefit from a “refresher” list of top security best pracDces, such
as the following:

1. Data and InformaDon ClassificaDon. Data and informaDon being stored, processed, and/or transmiUed on
system components that are owned, operated, maintained and controlled by your organizaDon are to have
appropriate classificaDon levels in place that clearly define its sensiDvity.

2. Security CategorizaDon. All system components are to be hardened accordingly for ensuring the objecDves of
CIA are maintained at all Dmes, while also being assigned a security category in accordance with the United
States Federal InformaDon Processing Standards PublicaDon 199 (FIPS PUB 199), "Standards for Security
CategorizaDon of Federal InformaDon and InformaDon Systems".

3. Physical Security. Appropriate security measures are to be implemented, which includes all necessary
physical security controls, such as those related to the safety and security of the actual hardware (i.e., servers)
for which system components reside on. This requires the use of a computer room or other designated area
(facility) that is secured and monitored at all Dmes and whereby only authorized personnel have physical access
to the specified system component.



4. Personnel. Employees responsible for general provisioning, maintenance and security of system components
are those deemed to be professional, well-‐skilled, and competent individuals. Not only must they be capable of
implemenDng procedures necessary for ensuring the confidenDality, integrity and availability (CIA) of the
specified system component, they must willingly conDnue to enhance their applicable skill-‐sets and subject
maUer knowledge. Remember, hardware and so`ware soluDons provided by vendors are only as good as the
individual who deploy their services.

5. Provisioning and Hardening. All system components are to be properly provisioned, hardened, secured, and
locked-‐down for ensuring their confidenDality, integrity, and availability (CIA). Improperly or poorly provisioned
systems can oèn result in network exploitaDon by hackers, malicious individuals, and numerous other external,
and internal threats. Therefore, the following provisioning and hardening procedures are to be applied as
necessary when deploying system components onto [company name's] network:

•  Vendor-‐supplied default seyngs are changed.
•  All unnecessary accounts are eliminated.
•  Only necessary and secure services, protocols and other essenDal services are enabled as needed for
funcDonality.
•  All unnecessary funcDonality is effecDvely removed.
•  All system security parameters are appropriately configured.



6. Time SynchronizaDon. Correct, accurate and consistent Dme on all system components entails procedures
for properly acquiring, distribuDng and storing Dme from industry accepted external sources; those which are
based on Coordinated Universal Time (UTC), which is essenDally based on InternaDonal Atomic Time (TAI). And
while there are several protocols to synchronize computer clocks, Network Time Protocol (NTP) is highly
recommended as it requires a reference clock for defining true and accurate Dme, is fault-‐tolerant, highly-‐
scalable, and uses trusted external sources (such as UTC). Moreover, NTP's hierarchical structure of clocks,
where each level is termed a "stratum", has proven to be a trusted and reliable source for Dme synchronizaDon.

7. Access Rights. Access rights to system components are too limited to authorized personnel only, with all
end-‐users being properly provisioned as necessary. This includes using all applicable provisioning and de-‐
provisioning forms along with ensuring users' access rights incorporate Role Based Access Control (RBAC)
protocols or similar access control iniDaDves.

AddiDonally, users with elevated and/or super user privileges, such as system administrators, I.T. engineers and
other applicable personnel, are responsible for ensuring access rights for all users (both end users and users
with elevated and/or super user privileges) are commensurate with one's roles and responsibiliDes within your
organizaDon. Thus, the concepts of "separaDon of rights" and "least privileges" are to be adhered to at all Dmes
by your organizaDon regarding access rights to system components. Specifically, "separaDon of rights" implies
that both the "funcDons" within a specified system component, for which there are many, should be separated
along with the roles granted to end-‐users and administrators of these very system components.



"FuncDons" pertains to the acDons a system component and its supporDng components (i.e., the OS and
applicaDons residing on the server) can perform and the associated personnel who have authority over these
funcDons. Thus, when permissible, funcDons (such as read, write, edit, etc.) should never be grouped together
and end-‐users and administrators should not be granted access to mulDple funcDons.

By effecDvely separaDng access rights to system components whereby only authorized individuals have access
to the minimum rights needed to perform their respecDve duDes, your organizaDon is adhering to the concept
of "least privileges", a well-‐known and best pracDces rule within informaDon technology.

8. Remote Access. All access to system components iniDated outside the organizaDon's trusted network
infrastructure is to be considered "remote access", and as such, only approved protocols are to be used for
ensuring that a trusted connecDon is iniDated, established and maintained. Specifically, all users are to uDlize
approved technologies, such as IPSec and/or SSL Virtual Private Networks (VPN) for remote access, along with
addiDonal supporDng measures, such as Secure Shell (SSH), while also employing two-‐factor authenDcaDon.
The concept of two-‐factor authenDcaDon (i.e., something you know, something you have, something you are)
along with strong password policies creates yet another layer of security relaDng to access rights for all
authorized users granted remote access into [company name's] network. AddiDonally, all workstaDons (both
company and employee-‐owned) are to have current, up-‐to-‐date anD-‐virus so`ware installed, while also uDlizing
any other malware uDliDes as needed for protecDng the workstaDons and the informaDon traversing to and
from the remote access connecDon. This may also include the use of personal firewall so`ware, along with
enhanced operaDng system seqngs on the applicable workstaDons.



9. Malware. Malicious so`ware (malware) poses a criDcal security threat to your organizaDon's system
components, thus effecDve measures are to be in place for ensuring protecDon against viruses, worms,
spyware, adware, rootkits, trojan horses, and many other forms of harmful code and scripts. As such, your
organizaDon is to have anD-‐virus (AV) soluDons deployed on all in-‐scope system components (i.e., servers,
workstaDons etc.), with the applicable AV being the most current version available from the vendor, enabled for
automaDc updates and configured for conducDng periodic scans as necessary. Because strong and
comprehensive malware measures are not just limited to the use of AV, addiDonal tools are to be employed as
necessary for eliminaDng all other associated threats. The seriousness of malware and its growing frequency of
aUacks within organizaDons require that all I.T. personnel within your organizaDon stay abreast of useful tools
and programs that are beneficial in combaDng harmful code and scripts.

10. Change Control | Change Management. Changes made to configuraDon seqngs (i.e., operaDng system and
applicaDon(s) changes) to system components require authorized users to iniDate an incident and/or change
request, which includes compleDng all applicable forms as necessary. Furthermore, the request must be
thoroughly documented, which includes providing the following essenDal informaDon: (1). Assigned I.D. or
change tracking number. (2). RepresentaDon of all criDcal dates relaDng to the requested change itself, such as
when the change was originally submiUed and approved, as well as when it was migrated to various stages for
tesDng and final deployment to producDon, if applicable. (3). Default fields for categorizing (i.e., normal change
or emergency change, etc.) and prioriDzing (i.e., criDcal to rouDne maintenance) the requested change itself.
(4). Documented notaDon, communicaDon and correspondence throughout the life of the requested change
itself is to include, but is not limited to, the following: (a). DocumentaDon of impact. (b). Management signoff.
(c). OperaDonal funcDonality. (d). Back-‐out procedures.



AddiDonally, change control measures include changes undertaken for any of the following four (4)
environments for which system components reside in:

•  Change Control | Internally Developed Systems and ApplicaDons
•  Changes Control | Enterprise Wide
•  Change Control | Customer Facing Environments
•  Emergency Change Management | All Environments

11. Patch Management. All necessary system patches and system updates for system components (those
defined as criDcal from a security perspecDve) are to be obtained and deployed in a Dmely manner as
designated by the following so`ware vendor and/or other trusted third-‐parDes: (1). Vendor websites and email
alerts. (2). Vendor mailing lists, newsleUers and addiDonal support channels for patches and security. (3). Third-‐
party websites and email alerts. (4). Third-‐party mailing lists. (5). Approved online forums and discussion panels.
EffecDve patch management and system updates help ensure the confidenDality, integrity, and availability (CIA)
of systems from new exploits, vulnerabiliDes and other security threats.

AddiDonally, all patch management iniDaDves are to be documented accordingly, which shall include
informaDon relaDng to the personnel responsible for conducDng patching, list of sources used for obtaining
patches and related security informaDon, the procedures for establishing a risk ranking for patches, and the
overall procedures for obtaining, deploying, distribuDng, and implemenDng patches specifically related to
system components.



12. Backup and Storage. Data backup and storage procedures for system components are to be iniDated by
authorized I.T. personnel consisDng of documented processes and procedures that include the following
iniDaDves: (1). The type of backup performed (i.e., full, incremental, and differenDal backups). (2). The date(s)
and Dme(s) for the designated backup processes to commence. (3). The appropriate reporDng procedures and
related output for confirmaDon of backups (i.e., log reports, email noDficaDon, etc.). (4). Incident response
measures in place for backup failures and/or excepDons. (5). RetenDon periods for all data backups as required
by management, customers, and all necessary regulatory compliance mandates.

AddiDonally, when data has been compromised due to any number of reasons, appropriate restore procedures
are to be enacted that allow for complete, accurate, and Dmely restoraDon of the data itself.

13. EncrypDon. When necessary and applicable, appropriate encrypDon measures are to be invoked for
ensuring the confidenDality, integrity, and availability (CIA) of system components and any sensiDve data
associated with them. AddiDonally, any passwords used for accessing and/or authenDcaDon to the specified
system component are to be encrypted at all Dmes, as passwords transmiqng via clear text are vulnerable to
external threats. As such, approved encrypDon technologies, such as Secure Sockets Layer (SSL) | Transport
Layer Security (TLS), Secure Shell (SSH), and many other secure data encrypDon protocols are to be uDlized
when accessing the specified system component.



14. Event Monitoring. Comprehensive audiDng & monitoring iniDaDves for system components are to be
implemented that effecDvely idenDfy and capture the following events: (1). All authenDcaDon and authorizaDon
acDviDes by all users and their associated accounts, such as log on aUempts (both successful and unsuccessful).
(2). Any creaDon, modificaDon or deleDon of various types of events and objects (i.e., operaDng system files,
data files opened and closed and specific acDons, such as reading, ediDng, deleDng, prinDng). (3). All acDons
undertaken by system administrators who have elevated privileges and access rights.

AddiDonally, for each event described above, the following aUributes are to be captured: (1). The type of event
that occurred and on what system level and/or applicaDon level did it occur on. (2). The date and Dme of the
event. (3). The idenDty of the user, such as the log-‐on ID. (4). The originaDon of the event. (5). The outcome of
the event, such as the success or failure of the event. (6). The name of the affected system.

15. ConfiguraDon and Change Monitoring. The use of specialized so`ware, such as File Integrity Monitoring
(FIM), Host based Intrusion DetecDon Systems (HIDS), and/or change detecDon so`ware programs are to be
implemented for monitoring system components as they provide the necessary capabiliDes for assisDng in the
capture of all the above-‐stated, required events. AddiDonally, configuraDon change monitoring tools are to be
used to detect any file changes made within a specified system component, ranging from changes to commonly
accessed files and folders, to more granular based data, such as configuraDon files, executables, rules, and
permissions. Changes made are to result in immediate alerts being generated with appropriate personnel being
noDfied. Moreover, these tools effecDvely aid in capturing and forwarding all events in real-‐Dme, thus
miDgaDng issues relaDng to naDve logging protocols, which can be accessed by users with elevated privileges.



16. Performance and UDlizaDon Monitoring. This includes monitoring the following metrics:

•  CPU UDlizaDon
•  Memory UDlizaDon
•  Disk UDlizaDon
•  Network UDlizaDon
17. Logging and ReporDng. Along with capturing all necessary events as described in "Event Monitoring",
effecDve protocols and supporDng measures are to be implemented for ensuring all required events and their
associated aUributes are logged, recorded, and reviewed as necessary. AddiDonally, all applicable elevated
permissions (those for administrators) along with general access rights permissions (those for end-‐users) to
system components are to be reviewed on a [monthly/quarterly/bi-‐annual/annual] basis by an authority that is
independent from all known users (i.e., end-‐users, administrator, etc.) and who also has the ability to
understand, interpret, and ulDmately idenDfy any issues or concerns from the related output (i.e., log reports,
and other supporDng data). The specified authority reviewing the logs is to determine what consDtutes any
"issues or concerns", and to report them immediately to appropriate personnel.

Moreover, protocols such as syslog and other capturing and forwarding protocols and, or technology, such as
specialized so`ware applicaDons, are to be used as necessary, along with employing security measures that
protect the confidenDality, integrity, and availability (CIA) of the audit trails and their respecDve log reports (i.e.,
audit records) that are produced.



AddiDonally, all audit records are to be stored on an external log server (i.e., centralized syslog server or similar
plasorm) that is physically separated from the original data source, along with employing effecDve backup and
archival procedures for the log server itself. These measures allow your organizaDon to secure the audit records
as required for various legal and regulatory compliance mandates, along with conducDng forensic invesDgaDve
procedures if necessary.

18. Incident Response. This includes puqng in place the following measures:

•  "Preparing" in that employees and all other applicable parDes should be aware of security threats and
computer incidents and undertake all necessary and required training.
•  "DetecDng" in that procedures are in place that allow for Dmely detecDon of all threats, such as the use of
specific sobware tools and other monitoring and detecDon elements.
•  "Responding" in that procedures are in place that allow for rapid and swib response measures, which is
highly necessary for containing and quaranDning any given incident.
•  "Recovering" in that procedures are in place that allow for full recovery of the affected systems, such as
the use of backup media and the ability to rebuild, reconfigure and redeploy as necessary.
•  "Post Incident AcDviDes and Awareness" in that a formal and documented Incident Response Report (IRR)
is to be developed, reviewed by appropriate parDes, resulDng in "Lessons Learned" from the incident and
what iniDaDves can be implemented for hopefully eliminaDng the likelihood of future incidents.

121


19. Performance and Security TesDng. All applicable system components are to undergo annual vulnerability
assessments along with penetraDon tesDng for ensuring their safety and security from the large and ever-‐
growing external and internal security threats facing your organizaDon today. Vulnerability assessments, which
entails scanning a specified set of network devices, hosts, and their corresponding Internet Protocol (IP)
addresses, helps idenDfy security weaknesses within [company name's] network architecture. AddiDonally,
penetraDon tesDng services, which are designed to actually compromise the organizaDon's network and
applicaDon layers, also assists in finding security flaws that require immediate remediaDon. Moreover,
contractual requirements along with regulatory compliance laws and legislaDon oèn mandate organizaDons
perform such services, at a minimum, annually (for penetraDon tests), and oèn on a periodic and/or quarterly
basis (for vulnerability assessments). As such, your organizaDon will adhere to these stated requirements and
will perform the necessary services on all applicable system components.

Careful planning and consideraDon of what systems are to be included when performing vulnerability
assessments and, parDcularly penetraDon tesDng is a criDcal factor, as all environments (i.e., development,
producDon, etc.) must be safeguarded from any accidental or unintended exploits caused by the tester.

20. Disaster Recovery. Documented Business ConDnuity and Disaster Recovery Planning (BCDRP) are vital to
protecDng all assets along with ensuring rapid resumpDon of criDcal services in a Dmely manner. Because
disasters and business interrupDons are extremely difficult to predict, it is the responsibility of authorized
personnel to have in place a fully funcDoning BCDRP process, and one that also includes specific policies,
procedures, and supporDng iniDaDves relaDng to all system components.

122
Security Awareness Resources

Listed below are numerous resources for helping employees gain a stronger understanding of the broader topic
of informaDon security, such as resources relaDng to fraud and other important safety consideraDons for
today’s informaDon technology world. Security awareness is broad, in-‐depth, complex, and constantly evolving
-‐ requiring a true commitment from all individuals for helping protect criDcal organizaDonal assets along with
their own personal assets.

Privacy Right Clearinghouse (www.privacyrights.org)
Privacy Rights Clearinghouse is a California nonprofit corporaDon with 501(c)(3) tax exempt status. Their
mission is to engage, educate and empower individuals to protect their privacy, effecDvely idenDfying trends
and communicaDng their findings to advocates, policymakers, industry, media and consumers.

The NaDonal Check Card Fraud Center (h_p://www.ckfraud.org)
According to their mission statement, the NaDonal Check Fraud Center is “a private organizaDon that provides
naDonwide, updated mulD-‐source informaDon and intelligence to support local law enforcement, federal
agencies, financial and retail communiDes in the detecDon, invesDgaDon and the prosecuDon of known check
fraud and white collar crimes.” If you have been a vicDm of white collar fraud or are aware of possible
fraudulent schemes and acDviDes, you may contact them at 843-‐571-‐2143.



usa.gov (www.usa.gov)
USA.gov is a comprehensive source developed by the United States government that offers informaDon to
ciDzens, businesses, government employees and visitors to the United States. Included on this site is
informaDon specifically related to fraud, the`, scams and other malicious and illegal acDviDes. Simply access the
Consumer Guides secDon from the homepage, and an abundance of informaDon is readily available. Many of
the resources and links provided in this website comprise a number of the agencies and bureaus listed within
this document. It’s an extremely helpful and resource-‐rich site for anyone interested in fraud and other related
topics. Some of the more notable topics and resources found on USA.gov include the following:

• How to report complaints and fraud relaDng to any number of issues
• InformaDon regarding common scams and fraudulent acDviDes
• How to report tax fraud scams

Internal Revenue Service (www.irs.gov)
The Internal Revenue Service (IRS) provides helpful informaDon on fraud and scams such as those of abusive tax
preparaDon, abusive tax schemes, how to recognize fraudulent tax scams and other useful informaDon. You can
learn more by visiDng this page.

econsumer.gov (www.econsumer.gov)
This website is specifically designed to allow consumers to file online complaints concerning foreign companies
using a submiUable virtual form. There is also a “News & Resources” tab where you can learn about the latest
fraudulent scams, complete with feature stories on them.



treasurydirect.gov (www.treasurydirect.gov)
This is a financial services website provided by the United States Department of the Treasury that offers
financial informaDon and research for Treasury securiDes. They also have incorporated informaDon concerning
fraud and scams under the “States & RegulaDons” tab.

United States GAO (www.gao.gov)
The U.S. Government Accountability Office (GAO) is the invesDgaDve arm of Congress, and it is generally
considered the “congressional watchdog.” They have a “FraudNet/ReporDng Fraud” resource, which can be
found by visiDng this page. Contact informaDon is given to individuals who want to report fraud perpetrated by
small businesses, federal fraud and even internal fraud at the GAO.

The Federal Bureau of InvesDgaDon (www.}i.gov)

•  The FBI has an excellent resource page that discusses common fraud schemes along with preventaDve
measures one can take. You can also sign up to be alerted to new fraud schemes via email from the FBI.
The FBI webpage highlights the following common fraud schemes:
•  TelemarkeDng Fraud
•  Nigerian Le_er (419) Fraud
•  ImpersonaDon/IdenDty Fraud
•  Advanced Fee Schemes
•  Health Insurance Fraud
•  RedempDon | Strawman | Bond Fraud
•  Le_er of Credit Fraud
•  Ponzi Schemes and Pyramid Schemes


AddiDonally, you can visit the FBI’s “Be Crime Smart” page where you will find addiDonal advice on protecDng
yourself and your organizaDon from fraudulent acDviDes.

SecuriDes and Exchange Commission (www.sec.gov)
The SecuriDes and Exchange Commission (SEC) is an independent agency of the U.S. government whose primary
responsibility is enforcing the numerous federal securiDes laws and regulaDng the securiDes industry, the
naDon’s stock and opDons exchanges and other securiDes markets. Any individual can file a complaint
concerning any fraudulent financial acDvity at the SEC’s website or via email at enforcement@sec.gov.

The United States Department of Labor | OccupaDonal Safety and Health AdministraDon (www.osha.gov)
If you work for a publicly traded company and you have been fired, demoted, suspended, threatened, harassed,
or discriminated against for reporDng possible shareholder fraud to a supervisor, federal regulator, or member
of Congress, you have the right to contact the federal government as mandated by OSHA’s Whistleblower
ProtecDon Program. OSHA is the federal agency that invesDgates and handles “whistleblower” complaints. You
can learn more at www.osha.gov.

The United States Department of Health and Human Services (www.hhs.gov)
The Department of Health and Human Services (HHS) is the United States government’s primary agency for
protecDng the health of all Americans by way of making available essenDal healthcare services.



As menDoned before, a growing problem in the United States is healthcare fraud, especially with Medicare and
Medicaid. HHS has thus provided detailed informaDon regarding all aspects of Medicare and Medicaid fraud
such as how to report fraud, common fraudulent schemes involving Medicare and Medicaid and a link to the
Department of Health and Human Services Center for Medicare and Medicaid Services (CMS) that can be
accessed by clicking here.

United States Postal InspecDon Service (www.postalinspectors.uspis.gov)
The Unites States Postal InspecDon Service (USPIS) provides a number of resources for helping individuals
understand the various elements of fraud and common fraudulent schemes currently being used. At the USPIS
site, individuals can view fraud prevenDon videos and learn about current fraudulent schemes and what rights
you have should you become a vicDm of fraud.

The Federal Trade Commission (www.bc.gov)
The Federal Trade Commission (FTC) is the naDon’s consumer protecDon agency that includes the Bureau of
Consumer ProtecDon, which works on behalf of consumers to prevent fraud, decepDon and unfair business
pracDces in the marketplace. The Bureau also collects complaints concerning consumer fraud and idenDty the`,
and it makes them available to law enforcement agencies across the country. You can learn more by
clicking here.

The United States Secret Service (www.secretservice.gov)
The Secret Service Financial Crimes Division invesDgates crimes associated with financial insDtuDons, which
include bank fraud, access device fraud involving credit and debit cards, telecommunicaDons and computer
crimes, fraudulent idenDficaDon, fraudulent government and commercial securiDes and electronic funds
transfer fraud. You can learn more about the Financial Crimes Division at the Secret Service by clicking here.



The United States Department of JusDce (www.jusDce.gov)
The United States Department of JusDce (USDOJ) employs a Fraud SecDon that is described as a rapid response
team that invesDgates and prosecutes white collar crimes in the United States. The Fraud SecDon, which you
can learn more about by clicking here, provides valuable resources and informaDon related to the following:

•  Helpful Dps and other informaDon pertaining to consumer fraud
•  Phishing
•  IdenDty Theb
•  TelemarkeDng Fraud
•  Discussion of “Working Groups” relaDng to securiDes and commodiDes fraud
•  LisDng of policies relaDng to prosecutorial issues for business organizaDons

AddiDonally, you can visit the Computer Crime & Intellectual Property SecDon of the United States Department
of JusDce. At this site you can find a wealth of informaDon relaDng to criminal and fraudulent schemes, as well
as details on how to report a crime.

Internet Crime Complaint Center (www.ic3.gov)
The Internet Crime Complaint Center (IC3) is a partnership between the FBI, the NaDonal White Collar Crime
Center (NW3C) and the Bureau of JusDce Assistance (BJA). As stated on its site, the IC3 has a virtual portal for
accepDng crime complaints from either the alleged vicDm of fraud or from a third party to the complainant.
AddiDonally, the IC3 furnishes individuals with useful informaDon such as crime prevenDon Dps, updates on
current scams and downloadable posters and flyers.



The Federal CommunicaDons Commission (www.fcc.gov)
The Federal CommunicaDons Commission (FCC) is an independent agency of the U.S. government that was
established by the CommunicaDons Act of 1934. The FCC is primarily responsible for regulaDng interstate and
internaDonal communicaDons by radio, television, wire, satellite and cable. The FCC’s Consumer Alerts and
Facts Sheets secDon consists of publicaDons that alert consumers to a wide variety of issues, including
fraudulent schemes.

The Be_er Business Bureau (www.bbb.org)
The BeUer Business Bureau (BBB) is an organizaDon that promotes a marketplace governed by ethical standards
where buyers and sellers can trust each other. For both businesses and consumers, the BBB has a large amount
of useful informaDon concerning fraud. You can easily use their “search” box and type in any topic related to
fraud, or you can benefit from the many other resources available at the site.

NaDonal Consumers League Fraud Center (www.fraud.org)
The NaDonal Consumers League Fraud Center (NCL) provides a wealth of informaDon relaDng to fraud schemes,
and their website enables online filing of fraud complaints. NCL’s fraud center resources include the following
areas found on their website:

• Frequently Asked QuesDons •  Scams against the Elderly
• TelemarkeDng Fraud •  Counterfeit Drugs
• Internet Fraud •  Fraud News
• Scams against Businesses



NaDonal White Collar Crime Center (www.nw3c.org)
The NaDonal White Collar Crime Center (NW3C) provides training, invesDgaDve support and research to agencies
and other enDDes involved in the prevenDon, invesDgaDon and prosecuDon of economic and high-‐tech crimes.

The NW3C is a nonprofit membership organizaDon dedicated to supporDng law enforcement, yet it has no
invesDgaDve authority itself. Its primary mission is to assist law enforcement agencies in beUer understanding and
using a wide variety of tools to combat crime. The NW3C provides training (classroom courses), research and
partnership opportuniDes with other enDDes.

Consume Fraud ReporDng (www.consumerfraudreporDng.org)
Consumer Fraud ReporDng is a free online service that warns consumers about specific types of fraud and other
scams via the Internet, and it provides a mechanism for reporDng fraudulent acDvity and financial scams. The
website is extremely informaDve, providing an abundance of informaDon on how to detect and prevent scams,
what government agencies are involved in combaDng fraud, how to report a scam or fraudulent acDvity and
resources to free publicaDons on fraud itself.

NaDonal AssociaDon of A_orneys General (NAAG) (www.naag.org)
The NaDonal AssociaDon of AUorneys General (NAAC), founded in 1907, fosters interstate cooperaDon on legal
and law enforcement issues, and it conducts policy research and analysis of issues, as well as other essenDal
acDviDes, between the states’ chief legal officers and all levels of government. At the NAAG website, a lisDng of all
current AUorneys General for each respecDve state and territory is listed. This is an invaluable resource primarily
because each of the state’s AG website provides valuable informaDon concerning fraud such as how to report it,
how to file a complaint and other resources that may be helpful in gaining a greater awareness and understanding
of fraud.

This completes your annual HIPAA training

Please click “Finish Course” on the right, to proceed to quiz

Hipaa 2014

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hipaa 2014

Uploaded by

Copyright:

Available Formats

HIPAA

Security Awareness and

HIPAA Security Awareness Training Program | 2013

HIPAA Security Awareness Training Program | 2013 2

HIPAA Security Awareness Training Program | 2013 3

HIPAA Security Awareness Training Program | 2013 5

HIPAA Security Awareness Training Program | 2013 7

HIPAA Security Awareness Training Program | 2013 8

HIPAA Security Awareness Training Program | 2013 9

HIPAA Security Awareness Training Program | 2013 10

HIPAA Security Awareness Training Program | 2013 11

HIPAA Security Awareness Training Program | 2013 12

HIPAA Security Awareness Training Program | 2013 13

HIPAA Security Awareness Training Program | 2013 15

HIPAA Security Awareness Training Program | 2013 16

HIPAA Security Awareness Training Program | 2013 17

HIPAA Security Awareness Training Program | 2013 18

HIPAA Security Awareness Training Program | 2013 19

HIPAA Security Awareness Training Program | 2013 20

The Cloud Cloud Wikipedia Overview of

HIPAA Security Awareness Training Program | 2013 21

HIPAA Security Awareness Training Program | 2013 22

HIPAA Security Awareness Training Program | 2013 23

HIPAA Security Awareness Training Program | 2013 24

HIPAA Security Rule

HIPAA Security Awareness Training Program | 2013 26

HIPAA Security Awareness Training Program | 2013 28

HIPAA 164.312 requires the following:

HIPAA Security Awareness Training Program | 2013 29

• Review documentaDon periodically, and update as needed, in response to environmental or operaDonal

HIPAA Security Awareness Training Program | 2013 30

• Clariﬁes the deﬁniDon of what a “breach” is.

HIPAA Security Awareness Training Program | 2013 33

HIPAA Security Awareness Training Program | 2013 36

HIPAA Security Awareness Training Program | 2013 37

1. Required by Law

HIPAA Security Awareness Training Program | 2013 39

HIPAA Security Awareness Training Program | 2013 40

HIPAA Security Awareness Training Program | 2013 41

HIPAA Security Awareness Training Program | 2013 42

• ProhibiDng waiver of rights,

HIPAA Security Awareness Training Program | 2013 44

• A covered enDty must reasonably safeguard protected health informaDon to limit

HIPAA Security Awareness Training Program | 2013 45

HIPAA Security Awareness Training Program | 2013 47

• A consultant that performs uDlizaDon reviews for a hospital.

• An independent medical transcripDonist that provides transcripDon services to a physician.

• A pharmacy beneﬁts manager that manages a health plan’s pharmacist network.

HIPAA Security Awareness Training Program | 2013 49

• Provide PHI to the Secretary upon demand;

The Department of Health DHHS NaDonal Centers for Medicare

HIPAA Security Awareness Training Program | 2013 51

HIPAA Security Awareness Training Program | 2013 53

HIPAA Security Awareness Training Program | 2013 54

HIPAA Security Awareness Training Program | 2013 56

HIPAA Security Awareness Training Program | 2013 57

HIPAA Security Awareness Training Program | 2013 58

HIPAA Security Awareness Training Program | 2013 59

HIPAA Security Awareness Training Program | 2013 60

HIPAA Security Awareness Training Program | 2013 61

HIPAA Security Awareness Training Program | 2013 62

HIPAA Security Awareness Training Program | 2013 63

HIPAA Security Awareness Training Program | 2013 64

•  Review documentaDon periodically, and update as needed, in response to environmental or operaDonal

• Clariﬁes the deﬁniDon of what a “breach” is.

1.  Required by Law

•  ProhibiDng waiver of rights,

•  A covered enDty must reasonably safeguard protected health informaDon to limit

•  A consultant that performs uDlizaDon reviews for a hospital.

•  An independent medical transcripDonist that provides transcripDon services to a physician.

•  A pharmacy beneﬁts manager that manages a health plan’s pharmacist network.

•  Provide PHI to the Secretary upon demand;

o  Keep informaDon close to you at all Dmes.