Key Points - SB583

Here are the main points of SB583 - The Oregon Identity Theft Protection Act (OITPA) - and how an Information Security Policy Manual (ISPM) comes into play. According to the OITPA, companies must:

1. Designate an employee to coordinate a company security program
    - ISPM contains authorization orders for a Chief Information Security Officer (CISO) position

2. Identify and reasonably foresee internal and external risks
    - ISPM contains a sections on risk management and vulnerability assessments

3. Assess the sufficiency of safeguards in place to control risk
    - ISPM provides coverage of administrative, technical and physical security procedures

4. Train and manage employees in security practices and procedures
    - ISPM stipulates training is required annually for all employees
    - Employees must sign for their equipment and are responsible for accountability at all times

5. Select service providers capable of maintaining appropriate safeguards
    - ISPM provides a section requiring safeguards in dealing with service providers and requires every

      user to sign an acknowledgement form, regardless of their status within the organization.

6. Regularly test and monitor the effectiveness of the security program
    - ISPM covers routine checks of security and an annual audit

7. Be able to detect, prevent, and respond to intrusions
    - ISPM has the focus on user education to make them aware of security to prevent and detect

      intrusions

8. Enact proper disposal procedures for data
    - ISPM covers the disposal of physical material, including paper and old hardware that contains data

9. Have procedures in place for notification of data breaches
    - ISPM covers the requirements for notification following a suspected or known breach

10. Assess risks to the storage and disposal of information
    - ISPM covers the proper methods of storing data and the timeline for storage based on data

      classification

Purchase online at: www.iSecurityPolicy.com