Security Compliance

Started by Robin Deatherage, November 17, 2010, 02:23:50 PM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Robin Deatherage

This is a two part question. 

1.  Do you have guidelines for your users on what types of information must be sent using email encryption?  I know the basics but don't really want to start from scratch with coming up with a list if I could help it.

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

Thanks
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

#1
Hi Robin,

For #1) We use keywords to trigger encryption, so it doesn't matter if the user *wants* to encrypt the email or not (and believe me, many times they think they do NOT want it encrypted).  If the pattern of a SSN or credit card number is matched (via RegEx) the email is automatically encrypted.  I also have a list of keywords that will driver it, like "drivers license number", "DOB", etc that will trigger it.  Lastly, (and this is a dead giveaway as to what product we're using) if none of the above fit your email but you still want it encrypted, putting the text:

[encrypt]

anywhere in the email will trigger encryption.

So, we don't currently have a written guideline, but we are basically attempting to make the decision for the user instead of giving them the option.  We do have documentation showing what we are encrypting, which may count as a guideline in a legal case... or may not.  We are still working on that piece.  :-)

#2) I got nothing.  Sorry! :-)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Adri

Mark- don't call Robin a Ho!!!!
Adri Wutkowski
Vice President
Robertson Ryan & Associates
Florida

Mark

Quote from: Adri on November 17, 2010, 04:06:44 PM
Mark- don't call Robin a Ho!!!!

What?  I know I can't type... but that NEVER happened!!
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Robin Deatherage

 :D  Thanks Adri.  I have to admit I've been called worse.  
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Robin Deatherage

Quote from: Mark on November 17, 2010, 04:16:45 PM
Robin is my friend!!  :-)
I was until you called me a Ho.  "unfriend"
Just kidding.  I still luv ya Mark.   
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Robin Deatherage

Adri, I love your profile pic.  Is that your daughter?  She's adorable.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Mark

Quote from: Robin Deatherage on November 17, 2010, 04:21:06 PM
Quote from: Mark on November 17, 2010, 04:16:45 PM
Robin is my friend!!  :-)
I was until you called me a Ho.  "unfriend"
Just kidding.  I still luv ya Mark.   

:-)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Mark

Quote from: Robin Deatherage on November 17, 2010, 04:21:06 PM
I was until you called me a Ho.  "unfriend"

There still is no evidence of this....   ;)
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Adri

Quote from: Robin Deatherage on November 17, 2010, 04:24:59 PM
Adri, I love your profile pic.  Is that your daughter?  She's adorable.

Yep, that is my youngest, Olivia.  Thanks!
Adri Wutkowski
Vice President
Robertson Ryan & Associates
Florida

Adri

Quote from: Mark on November 17, 2010, 04:15:20 PM
Quote from: Adri on November 17, 2010, 04:06:44 PM
Mark- don't call Robin a Ho!!!!

What?  I know I can't type... but that NEVER happened!!

LOL-  Look at what you started!
Adri Wutkowski
Vice President
Robertson Ryan & Associates
Florida

Mark

Quote from: Adri on November 17, 2010, 04:54:26 PM
LOL-  Look at what you started!

I started nothing!  :P  You are just a trouble-maker!
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

brinkerdana

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

I've worked from home for the last 3 jobs and never had an agreement.  I KNEW the data was sensitive and made sure my computer had the appropriate safety features. 
Dana Brinkerhoff
Retired

Robin Deatherage

Quote from: brinkerdana on November 17, 2010, 09:21:45 PM
2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

I've worked from home for the last 3 jobs and never had an agreement.  I KNEW the data was sensitive and made sure my computer had the appropriate safety features. 
One of the classes I attended at TENCon was the HIPAA and HITECH Survival Guide by Laura Nelson.  During the class she recommended that agencies have an Offsite Work Agreement in place spelling out to the employees exactly what is expected of them security wise.  That's why I'm asking about this.  Just a CYA in case you are audited.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations