Definitions of Confidential and Sensitive Information
Definitions of Confidential and Sensitive Information (CSI)
Policy
________________________________________
Document Number: REDFLAG--102 Revision #: 1.0
Document Owner: Executive VP Date Last Updated: 08/17/2012
Primary Author: Executive VP Status: Approved
Date Originally Created: 12/14/2011
________________________________________
General Description
Description: Information about confidential and sensitive information (CSI).
Purpose: Delineation of policy and definitions.
Scope: All faculty, staff, students, and administrators
Responsibility: Administration
Executive VP
VP of Business and Finance
________________________________________
Requirements
Relevant Knowledge: In order to comply with this policy you should know:
Current University policy
Federal statutes
Standard company policies
Standards of good practice
State statutes
Terms and Definitions: Additional training
Corrective Action
Fine
Loss of privilege, general
Termination
Staff members who knowingly and blatantly violate this policy may be terminated.
________________________________________
Policy Provisions
1. Definitions of Confidential and Sensitive Information (CSI)
Confidential and Sensitive Information includes, but is not limited to, the following identifiers whether contained in hard copy or electronic format.
1.1 Personal Information
1. Social Security Number
2. Social Insurance Number
3. Date of Birth
4. Mother’s Maiden Name
5. Driver’s License Information
6. Professional License Information
7. Paychecks, Pay stubs, Pay rates
8. Passport Information
1.2 Financial Information
1. Credit Card Numbers
2. Credit Card Expiration Dates
3. Credit Card CCV Numbers
4. Bank/Credit Union Account Numbers
5. Billing Information
6. Payment History
1.3 Medical Information
1. Medical Records
2. Doctor Names and Claims
3. Health, Life, Disability Insurance Policy Information
4. Prescription Information
1.4 Business Information
1. Federal ID Numbers
2. Proprietary Information
3. Trade Secrets
4. Business Systems
5. Security Systems
6. Employee Identifiers
7. Student Identifiers
8. Access Numbers / Passwords
9. Customer, Student, Patient Identifiers
10. Vendor Numbers
11. Account Numbers
2. Account
An account is a body of information, or a record, or an individual, group, or entity that is kept for the purpose of transacting on an on-going basis with another individual, group, or entity. The terms “accounts” and “records” are used interchangeably because they share similar functions and characteristics. Both contain identifiable information on an individual,
group, or entity. They each allow for access to products or services, and keep a history of transaction activity.
3. Covered Account
Both new and existing accounts where a continuing relationship exists between the University and an individual, group, or entity are considered “covered accounts.” There are two definitions.
1. An account that the University offers or maintains, primarily for personal, family, or household purposes, that involve or is designated to permit multiple payments or transactions. Examples include a credit card account, tuition and fee payment, bookstore purchases, and/or other financial transactions of matriculated and non-matriculated students and of employees.
2. Any other account that the University offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or mitigation risks.
4. Electronic or Soft Copy Format
Electronic or Soft Copy Format refers to any Confidential and Sensitive Information that exists electronically on CDs, DVDs, phones, computers, networks, portable devices, etc.
5. Hard Copy Format
Hard Copy Format refers to any Confidential and Sensitive Information that exists physically on paper.
6. Physical Access Zone
A physical access zone is a clearly defined physical or implied boundary established to control and limit access to CSI areas.
7. Red Flags
Red Flags are patterns, practices, or specific activities involving covered accounts that indicate the possible risk of identity theft.
.
8. Service Provider
A service provider is any individual, group, or entity that directly provides a service to the University or on behalf of the University for its customers or clients.
9. Spoken Word
Spoken Word refers to the transfer of Confidential and Sensitive Information verbally or audibly through electronic media.
________________________________________
Performance Evaluation
Performance Metrics: Compliance with standard policy and procedure
Compliance with federal mandate
Consequences: Further training
Job Termination
Loss of privileges
________________________________________
Subject Experts
The following may be consulted for additional information.
Executive VP
VP of Business and Finance