Security Compliance

Started by Robin Deatherage, November 17, 2010, 02:23:50 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Robin Deatherage

This is a two part question. 

1.  Do you have guidelines for your users on what types of information must be sent using email encryption?  I know the basics but don't really want to start from scratch with coming up with a list if I could help it.

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

Thanks
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

#1
Hi Robin,

For #1) We use keywords to trigger encryption, so it doesn't matter if the user *wants* to encrypt the email or not (and believe me, many times they think they do NOT want it encrypted).  If the pattern of a SSN or credit card number is matched (via RegEx) the email is automatically encrypted.  I also have a list of keywords that will driver it, like "drivers license number", "DOB", etc that will trigger it.  Lastly, (and this is a dead giveaway as to what product we're using) if none of the above fit your email but you still want it encrypted, putting the text:

[encrypt]

anywhere in the email will trigger encryption.

So, we don't currently have a written guideline, but we are basically attempting to make the decision for the user instead of giving them the option.  We do have documentation showing what we are encrypting, which may count as a guideline in a legal case... or may not.  We are still working on that piece.  :-)

#2) I got nothing.  Sorry! :-)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Adri

Mark- don't call Robin a Ho!!!!
Adri Wutkowski
Vice President
Robertson Ryan & Associates
Florida

Mark

Quote from: Adri on November 17, 2010, 04:06:44 PM
Mark- don't call Robin a Ho!!!!

What?  I know I can't type... but that NEVER happened!!
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Robin Deatherage

 :D  Thanks Adri.  I have to admit I've been called worse.  
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Robin Deatherage

Quote from: Mark on November 17, 2010, 04:16:45 PM
Robin is my friend!!  :-)
I was until you called me a Ho.  "unfriend"
Just kidding.  I still luv ya Mark.   
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Robin Deatherage

Adri, I love your profile pic.  Is that your daughter?  She's adorable.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Quote from: Robin Deatherage on November 17, 2010, 04:21:06 PM
Quote from: Mark on November 17, 2010, 04:16:45 PM
Robin is my friend!!  :-)
I was until you called me a Ho.  "unfriend"
Just kidding.  I still luv ya Mark.   

:-)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Mark

Quote from: Robin Deatherage on November 17, 2010, 04:21:06 PM
I was until you called me a Ho.  "unfriend"

There still is no evidence of this....   ;)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Adri

Quote from: Robin Deatherage on November 17, 2010, 04:24:59 PM
Adri, I love your profile pic.  Is that your daughter?  She's adorable.

Yep, that is my youngest, Olivia.  Thanks!
Adri Wutkowski
Vice President
Robertson Ryan & Associates
Florida

Adri

Quote from: Mark on November 17, 2010, 04:15:20 PM
Quote from: Adri on November 17, 2010, 04:06:44 PM
Mark- don't call Robin a Ho!!!!

What?  I know I can't type... but that NEVER happened!!

LOL-  Look at what you started!
Adri Wutkowski
Vice President
Robertson Ryan & Associates
Florida

Mark

Quote from: Adri on November 17, 2010, 04:54:26 PM
LOL-  Look at what you started!

I started nothing!  :P  You are just a trouble-maker!
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

brinkerdana

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

I've worked from home for the last 3 jobs and never had an agreement.  I KNEW the data was sensitive and made sure my computer had the appropriate safety features. 
Dana Brinkerhoff
Retired

Robin Deatherage

Quote from: brinkerdana on November 17, 2010, 09:21:45 PM
2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

I've worked from home for the last 3 jobs and never had an agreement.  I KNEW the data was sensitive and made sure my computer had the appropriate safety features. 
One of the classes I attended at TENCon was the HIPAA and HITECH Survival Guide by Laura Nelson.  During the class she recommended that agencies have an Offsite Work Agreement in place spelling out to the employees exactly what is expected of them security wise.  That's why I'm asking about this.  Just a CYA in case you are audited.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

brinkerdana

Two of those work-from-home jobs were pre-HIPPA, etc. 

Dana Brinkerhoff
Retired

Lance Bateman

Not to be picky, but it's HIPAA - Health Insurance Portability and Accountability Act - though it was gutted from the original intent of the bill (which would have allowed you to take your insurance with you if you changed employer), and now is mostly on the privacy aspects.

Anyway - it wouldn't matter if they started pre- or post- you'd need to update.  Our "work at home" also specified space, separation from other people in the house (such as children), etc - and we provided the computer they were to use.

Quote from: brinkerdana on November 18, 2010, 02:53:16 PM
Two of those work-from-home jobs were pre-HIPPA, etc. 



Robin Deatherage

Lance do you have a document that you can share?  If not that's ok.

With HITECH there are so many new issues. sigh....   
I've been referring to HITECH as "HIPAA on steriods".   ;D
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Lance Bateman

Sorry, Robin, I don't have access to it now.  And did you mean HITECH is HIPAA on steroids, or PMS?  (LOL)

Quote from: Robin Deatherage on November 18, 2010, 03:08:06 PM
Lance do you have a document that you can share?  If not that's ok.

With HITECH there are so many new issues. sigh....   
I've been referring to HITECH as "HIPAA on steriods".   ;D

Robin Deatherage

Quote from: Lance Bateman on November 18, 2010, 03:25:38 PM
And did you mean HITECH is HIPAA on steroids, or PMS?  (LOL)

Either one works.   ;) 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jan Regnier

Quote from: Robin Deatherage on November 18, 2010, 03:08:06 PM

With HITECH there are so many new issues. sigh....   
I've been referring to HITECH as "HIPAA on steriods".   ;D

Hmmm  I call it CRAP....... ("obscene word for unacceptable behavior" - among others)   ;D
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Robin Deatherage

I finally found something for offsite workers.  It's geared toward the healthcare industry but could work for us too I think.  I would appreciate any thoughts or comments please.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Lance Bateman

Just a couple decisions we made:
1.  We provided the computer and monitors - that way there was no concern of their own computer being used by others, or not meeting required standards (think of how many people want to limit their own computer to Windows Classic screen, or don't have the proper security set up).

2.  They were only set up for printing to the computers in the office.  Nothing from the system should be printed at their home.

3.  Workplace in the home must be dedicated, not in a room they would be dealing with children, etc.

Good luck.