OITPA
iSecurityPolicy - v8 oregon information security
 
Line4

SB583: The Oregon Identity Theft Protection Act (OITPA)

For a reason to buy Information Security policies, it is hard to beat an excerpt directly from the law itself:

Any person that owns, maintains or otherwise possesses data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.

To read through the new law for yourself, please click here.
ma_law

[download brochure]

The State of Oregon adopted a strict Information Security law, which became effective on January 1, 2008. The law is broken up into four sections (please read the requirements of those two sections below).

iSecurityPolicy.com’s Information Security Policy Manual (ISPM) meets ALL of the requirements of the Oregon Identity Theft Protection Act (OITPA) (SB583). As an Oregon business, we were at the forefront of this law, assisting businesses and organizations become compliant so that they would not face devastating fines from being non-compliant. Click here to read more about the ISPM and what it contains.

SecurityFreeze
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion.

BreachNotification
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.

ProtectSSNs
The law prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.

SafeguardPII
If you collect personal information from an individual, such as driver's license numbers or Social Security numbers, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.

Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

The following shall be deemed in compliance:

Section A:

  1. A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
  2. A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.
  3. A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on the effective date of this 2007 Act.
  4. A person that implements an information security program that includes the following administrative safeguards such as the following, in which the person:
    • (i) Designates one or more employees to coordinate the security program;
    • (ii) Identifies reasonably foreseeable internal and external risks;
    • (iii) Assesses the sufficiency of safeguards in place to control the identified risks;
    • (iv) Trains and manages employees in the security program practices and procedures;
    • (v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
    • (vi) Adjusts the security program in light of business changes or new circumstances;

Section B:

  1. Technical safeguards such as the following, in which the person:
    • (i) Assesses risks in network and software design;
    • (ii) Assesses risks in information processing, transmission and storage;
    • (iii) Detects, prevents and responds to attacks or system failures; and
    • (iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
  2. Physical safeguards such as the following, in which the person:
    • (i) Assesses risks of information storage and disposal;
    • (ii) Detects, prevents and responds to intrusions;
    • (iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
    • (iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

The good news is iSecurityPolicy.com is here to help your business become and stay compliant with all applicable Information Security laws and industry requirements, such as the Payment Card Industry Data Security Standard (PCI DSS). The threats are real, so you need to be prepared to both protect your company from these incidents and also have the ability to prove documentation of the steps you took to provide due care and due diligence. Additionally, consumers want to do business with companies that they trust will protect their personal information and credit card numbers.

We developed the industry's first source for a customized, on-demand Information Security Policy Manual (ISPM) that is specifically tailored for small and medium sized business like yours. Since we follow industry-recognized best practices, we reference applicable laws, requirements, and standards businesses need to follow to be considered compliant.

At iSecurityPolicy.com, you will not find “Bronze, Silver or Gold” packages like at some competitor sites. The reason for this is that our experience has proven that a standard is a standard for a reason. Simply put, compliance is penalty-centric. The court system has established a track record of punishing businesses for failing to meet compliance with known standards. In terms of Information Security compliance, what you do not know has the proven ability to hurt you. With that in mind, lesser products are a liability that could prove immensely costly if they do not meet all of your current and future compliance needs. Unfortunately, ignorance is neither bliss, nor is it an excuse! What your employees do not know has the proven ability to hurt your company. In terms of liability for a company, security does not exist until it is documented.

  • We are here to assist those businesses that lack our specialized knowledge & experience
  • Information Security is too important to be left to amateurs or partial solutions
  • Every company needs robust security policies, procedures, standards & guidelines
  • Our policies are written in a business-context so users can clearly grasp requirements
  • Our products are based on industry-recognized best practices & standards
  • Our solution is affordable and straightforward to implement

Most smaller businesses lack a dedicated IT staff and must rely on outsourced expertise. This is a good solution for most IT needs, but the vast majority of IT companies that support smaller businesses lack the expertise to properly consult their clients on Information Security and what compliance issues they should be concerned with. This is where iSecurityPolicy.com is a wonderful resource, since our Information Security products and services can be implemented by your current IT provider. We can provide them with the roadmap and the tools to properly secure your network and make you compliant. It is as easy as that!

Why Does Your Business Need Information Security Policies?

The reason is simple: Information Security policies are entirely focused on protecting your business! Professionally written policies provide the necessary steps to document the due care and due diligence your business needs to prove compliance with Information Security laws and industry regulations. While you spend thousands of dollars a year on business liability insurance, purchasing an Information Security Policy Manual (ISPM) from iSecurityPolicy.com might be the most cost-effective protection you can provide for your company.

What most businesses fail to realize is that a single data breach (either from being hacker or from a careless employee) can close a business forever, because liability insurance does not cover professional negligence. Without the ability to demonstrate documented steps were taken to ensure due care and due diligence were applied to your business operations, you may be considered negligent in a lawsuit. This means you will be solely responsible for the financial damages from lawsuits, fines, and notification expenses from any data breaches. Insurance companies are in the business to make money from getting paid premiums and do not want to pay out unless they have to. Insurers will find loopholes not to pay for claims and when you are non-compliant with a law or industry requirement, you make it easy for insurers to deny your claim based on objective standards not being met.

CISSP

All documents are
reviewed by a CISSP

39 professionally written policies customized for your company!

The Information Security Policy Manual (ISPM) contains the following policies:

Acceptable Use

Analog Line (POS systems)

Business Continuity Planning

Change Control

 

Computer Lifecycle Program

Data Breach

Data Classification

Data Collection

 

Data Lifecycle

Data Storage

Developing Secure Systems

Digital Signatures

 

Disaster Recovery Plannning

Electronic Communications

Electronic Communications Retention

Encryption

 

Firewall Security

Identity Theft Protection

Incident Response

Information Asset Issue

 

Information Assurance (IA)

Information Security Management

Intranet

Malicious Software

 

Non-Regulatory Compliance   

Operating System 

Operational Security

Password    

 

Personal Communication Device

Personal Use

Privacy & Monitoring

Regulatory Compliance  

 

Remote Access (VPN)

Risk Assessment

Router Security

Service Provider

 

User Security Training

Vulnerability Assessment

Wireless Communications

 

 
[Home] [Products] [Examples] [FAQs] [Reasons To Buy] [Compliance Guide] [Links] [Buy Online] [About Us] [Contact Us]
paypal1
disabled veteran
veteran owned

Copyright © 2007-2009. All rights reserved.
iSecurityPolicy.com is a division of BlackHat Consultants, LLC. BlackHat Consultants, LLC is Veteran owned.
We are proud to be an Oregon business and to support other businesses that help make this a great state to call home.