 |
|
|
ORS 646A.200 - The Oregon Identity Theft Protection Act
|
|
|
|
|
|
|
|
|
|
The State of Oregon adopted a strict Information Security law, the Oregon Identity Theft Protection Act, which became effective on January 1, 2008. The law is broken up into four sections and SecurityWaypoint.com’s Written Information Security Program (WISP) meets ALL of the requirements of the Oregon Identity Theft Protection Act (OITPA) (ORS 646A.200). As an Oregon business, we were at the forefront of this law, assisting businesses and organizations become compliant so that they would not face devastating fines from being non-compliant.
For a reason to buy Information Security policies, it is hard to beat an excerpt directly from the law itself:
|
|
|
“Any person that owns, maintains or otherwise possesses data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.”
|
|
|
|
To read through the new law for yourself, please click here.
|
|
|
|
|
|
|
For your company to meet the legal requirements of the Oregon Identity Theft Protection Act (OITPA), your company must have a documented Information Security program in place. Our Written Information Security Program (WISP) is a professionally written, cohesive compilation of policies, procedures, standards and guidelines that are designed with one purpose in mind - to provide you with the written security policies necessary to secure your business and meet your specific regulatory requirements.
|
|
|
|
We take the hassle of the Oregon Identity Theft Protection Act guesswork away so you can focus on what you do best - growing your business. As Information Security professionals we know the policies you need to have in place to meet the requirements for compliance. The likelihood that your local “IT guy” knows your compliance requirements is slim to none, since Information Security is a very specific skill set.
We follow proven, internationally recognized standards for what security policies should consist of. Many competitor sites unfortunately offer solutions that will leave you exposed and unprepared - when keeping your company in business and protected is the priority, there is no room for amateur solutions. The Written Information Security Program (WISP) stands out from the competition in its coverage, depth, and price. Additionally, the turnaround for a Written Information Security Program (WISP) is generally 1-2 business days.
|
|
|
|
|
|
It is well documented that the lack of standards and lack of employee awareness are the leading causes of security breaches, malware infections (e.g. viruses & spyware), and identity theft. If you have 2 or more employees, a WISP is just as important as the professional liability insurance you carry on your business. The benefits of Information Security for small and medium businesses are many:
- Decreased costs - less reactive IT support
- Improved productivity - decreased distractions
- Decreased virus & spyware outbreaks
- More efficient operations
- Better performing network & computers
- Better accountability of assets & resources
- Better educated & trained employees
|
|
|
|
|
Most smaller businesses lack a dedicated IT staff and must rely on outsourced expertise. This is a good solution for most technology needs, but the vast majority of IT companies that support smaller businesses lack the expertise to properly consult their clients on Information Security and what compliance issues they should be concerned with. This is where SecurityWaypoint.com is a wonderful resource, since our Information Security products and services can be implemented by your current IT provider. We provide them with the roadmap and the tools to properly secure your network and make you compliant with the Oregon Identity Theft Protection Act. It is as easy as that!
|
|
|
|
|
Hint: Non-compliance with a law or industry requirement, is considered negligent behavior and liability insurance does not cover professional negligence.
Without the ability to prove documented steps were taken to ensure due care and due diligence were applied to your business operations, your company may be considered negligent in a lawsuit.
This means you will be entirely responsible for the financial damages from lawsuits, fines, and notification expenses from any data breaches.
Insurance companies are in the business to make money from getting paid premiums and do not want to pay out unless they have to.
Call your insurance agent to verify it for yourself!
|
|
|
|
|
Why Does Your Business Need A Written Information Security Program (WISP)?
|
|
|
|
The reason is simple - Information Security policies are entirely focused on protecting your business! Professionally written policies provide the necessary steps to document the due care and due diligence your business needs to prove compliance with Information Security laws and industry regulations. While you spend thousands of dollars a year on business liability insurance, purchasing a Written Information Security Program (WISP) from SecurityWaypoint.com might be the most cost-effective protection you can provide for your company.
SecurityWaypoint.com was the industry's first source for a customized, on-demand Written Information Security Program (WISP) that is specifically tailored for small and medium sized business.
Our Written Information Security Program (WISP) follows industry-recognized best practices (e.g. NIST, ISO and CIS) and we reference applicable laws, requirements, standards, and best practices that businesses need to follow to be considered compliant. The requirements of the Oregon Identity Theft Protection Act are footnoted by each applicable policy in the Written Information Security Program (WISP).
|
|
|
|
Written Information Security Program (WISP) highlights for the Oregon Identity Theft Protection Act:
- Easy to implement & tailored to your company
- Policies are based on NIST 800-series and ISO 27000-series standards
- Dozens of policies and standards specifically tailored for small to medium businesses
- Covers the PCI DSS, GLBA, SOX, HIPAA, FACTA and more!
- Identifies administrative, technical and physical factors associated with Information Security
- Provides standards for both assessing risk and hardening of networks and systems
- Comprehensive encryption procedures
- Ongoing user education and security awareness training
- Incident response procedures
- Procedures to audit user accounts and deal with terminated employees
- Includes Security & Compliance Director (SCD) appointment orders, an employee acknowledgment form, and other useful forms to allow you to implement a complete Information Security program right away
|
|
|
|
What Makes The Written Information Security Program (WISP) Superior To Our Competition
|
|
|
|
The Written Information Security Program (WISP) is logically organized, following industry-recognized best practices as established by the National Institute of Standards & Technology (NIST). SecurityWaypoint.com is also an Oregon-based business, so we have to pay particular attention to the Oregon Identity Theft Protection Act.
Security controls are synonymous with standards. Security controls have a well-defined organization and structure. Security controls are organized into classes and families for ease of use in the control selection and specification process. There are four general classes of security controls:
- Common
- Common controls address Information Security program-level security topics.
- These common controls establish the overall framework for management, operational and technical controls.
- Management
- Management controls address techniques and concerns that are normally addressed by management in the Information Security program.
- Management controls focus on the management of the Information Security program and the management of risk within the company.
- Operational
- Operational controls address techniques and concerns that are generally implemented and executed by people, as opposed to systems, that are put in place to improve the security of a particular system or group of systems.
- Operational controls often require technical or specialized expertise; often relying upon management activities as well as technical controls.
- Technical
- Technical controls address processes and concerns that a computer system executes.
- Technical controls are dependent upon the proper functioning of the system for their effectiveness and therefore require significant operational considerations.
These classes of controls have subordinate families of controls. While they sometimes have overlapping coverage, as visualized below, the end product is a comprehensive Information Security program that will serve your company well.
|
|
|
|
 |
|
|
|
The best method to describe the comprehensive nature of the policies of the Written Information Security Program (WISP) is to show you how our policies both cover industry-recognized best practices, as well as how regulatory and non-regulatory requirements map out to the policies within the WISP.
Click on the image below to open a PDF document that lays out the policies within the WISP, the industry best practices used, and the corresponding requirements that are addressed by those policies.
|
|
|
|
Obtaining Affordable & Customized Information Security Policies Is Easy With SecurityWaypoint.com!
|
|
|
|
The good news is SecurityWaypoint.com is here to help your business become and stay compliant with all applicable Information Security laws and industry requirements, such as the Payment Card Industry Data Security Standard (PCI DSS). Our Written Information Security Program (WISP) stands out from its competition by covering management, operational, and technical controls, based on the National Institute of Standards & Technology (NIST) 800-series publications and ISO 27000-series standards.
The threats are real, so you need to both protect your company from these threats and also have the ability to prove documentation of the steps you took to ensure due care and due diligence. Additionally, consumers want to do business with companies that they trust will protect their personal information and credit card numbers.
|
|
|
|
|
|
- We are here to assist businesses that require our specialized knowledge & experience
- Information Security is too important to be left to amateurs or partial solutions
- Every company needs robust security policies, procedures, standards & guidelines
- Our policies are written in a business-context so users can clearly grasp requirements
- Our products are based on industry-recognized best practices & standards
- Our solution is affordable and straightforward to implement
|
|
|
|
|
The Written Information Security Program (WISP) contains the following policies:
|
|
|
|
|
Acceptable Use
|
|
Access Control
|
|
Asset Inventories
|
|
Audit & Accountability
|
|
Business Continuity Planning
|
|
Change Control
|
|
Communication Protection
|
|
Communications Technology
|
|
Compliance (Regulatory & Non-Regulatory)
|
|
Computer Lifecycle Program
|
|
Configuration Management
|
|
Contingency Planning
|
|
Data Breach
|
|
Data Classification
|
|
Data Collection
|
|
Data Protection & Storage
|
|
Data Retention
|
|
Developing Secure Systems
|
|
Digital Signatures
|
|
Disaster Recovery Planning
|
|
Electronic Communications
|
|
Electronic Communications Retention
|
|
Encryption (Transmission & Storage)
|
|
Firewall & Router Security
|
|
Identity Theft Protection
|
|
Incident Response
|
|
|
|
|
|
|
Intranet
|
|
Maintenance
|
|
Malicious Software Prevention (Antivirus)
|
|
Media Protection
|
|
Monitoring Activities
|
|
Operating System Standards
|
|
Penetration Testing
|
|
Personal Electronic Devices
|
|
Personal Use
|
|
Personnel Security
|
|
Physical & Environmental Protection
|
|
Privacy
|
|
Remote Access (VPN)
|
|
Risk Assessment
|
|
Risk Management
|
|
Security Awareness & Training
|
|
Security Control Testing
|
|
Security Program Management
|
|
Service Provider Management
|
|
Software Development
|
|
System Protection
|
|
Systems & Service Acquisition
|
|
Username & Password Control
|
|
Vulnerability Assessments
|
|
Wireless Communications
|
|
And More!
|
|
|
|
|
|
WISP includes forms to allow businesses to implement a security program within minutes:
|
|
|
|
|
Administrator Account Request Form
|
|
Change Management Request Form
|
|
Contractual Service Provider NDA Form
|
|
Incident Response Form
|
|
References & End Notes
|
|
Security & Compliance Director Appointment Orders
|
|
Service Provider Non-Disclosure Agreement Form
|
|
Terms & Definitions
|
|
User Equipment Issue Form
|
|
User Policy Acknowledgement Form
|
|
And More
|
|
|
|
|
Oregon Identity Theft Protection Act
SecurityFreeze
All Oregonians will be able to place a security freeze on their credit file maintained by a credit reporting agency, such as Equifax, Experian, or TransUnion.
BreachNotification
Anyone (business, organization, or individual) who maintains personal information of Oregon consumers will be required to notify his or her customers if computer files containing that personal information have been subject to a security breach.
ProtectSSNs
The Oregon Identity Theft Protection Act prohibits anyone from printing Social Security numbers on cards or documents or publicly displaying or posting a Social Security number. This doesn't apply to the use of SSNs for internal verification purposes. The law allows an exception for records that are required by law to be made available to the public or filed with courts.
SafeguardPII
If you collect personal information from an individual, such as driver's license numbers or Social Security numbers, you must develop, implement and maintain reasonable safeguards to protect the security and confidentiality of the information. This also includes the proper disposal of information.
Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:
The following shall be deemed in compliance:
Section A:
- A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
- A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on the effective date of this 2007 Act.
- A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on the effective date of this 2007 Act.
- A person that implements an information security program that includes the following administrative safeguards such as the following, in which the person:
- (i) Designates one or more employees to coordinate the security program;
- (ii) Identifies reasonably foreseeable internal and external risks;
- (iii) Assesses the sufficiency of safeguards in place to control the identified risks;
- (iv) Trains and manages employees in the security program practices and procedures;
- (v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
- (vi) Adjusts the security program in light of business changes or new circumstances;
Section B:
- Technical safeguards such as the following, in which the person:
- (i) Assesses risks in network and software design;
- (ii) Assesses risks in information processing, transmission and storage;
- (iii) Detects, prevents and responds to attacks or system failures; and
- (iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
- Physical safeguards such as the following, in which the person:
- (i) Assesses risks of information storage and disposal;
- (ii) Detects, prevents and responds to intrusions;
- (iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
- (iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
|
|
|
Copyright 2005-2011. All rights reserved.
SecurityWaypoint.com is owned by BlackHat Consultants, LLC. BlackHat Consultants, LLC is Veteran owned.
We are proud to support the small & medium businesses that help make this a great country.
|
|
