Human Capital as a Service

Confidential Information Training Fall 2018

Introduction

2
Which of These Actions Could Cause a Confidential Information (CI) Incident?

YES…
Conducting a Client Survey? if you use an unapproved tool and/or the
survey tool gets hacked

YES…
if the hidden worksheets or the
Reusing a cleansed template for a new client? “properties" contain former client
information or names

YES…
Using a Robot to automate the testing process? if the Robot captures, stores or
transmits PHI/PII without
encryption/safeguards
YES…
Storing Client Information on Deloitte OneDrive if the MSA has data residency
or Teams? restrictions

ALL OF THE ABOVE

Why is Protecting Confidential Information (CI) So Important?
A CI Incident can lead to a wide range of negative outcomes

Actions that can lead to incidents… Potential Consequences

• Sending emails or attachments to the wrong recipients
Negative media attention
• Losing laptops, smartphones/tablets or paper
documents
Lost client trust
• Leaving documents or files on a printer or other public
location
Damage to Deloitte brand and reputation
• Posting pictures / messages with client logo/references
on social media
Potential regulatory violations
• Disclosing client information beyond those who need to
know
Financial or civil penalties
• Sharing a deck or deliverable that is not 100% cleansed
with a new client
Contract penalties or termination
• Posting proprietary code to a public repository

• Using a third party survey tool Negative impact on your career

4
Purpose of Today’s Training

• Many of our Human Capital Offerings involve access to and use of Confidential Information (CI) in delivery of services.
Understanding CI risks and protecting CI is critical to successful delivery of these services

• This training provides baseline CI standards and safeguards to address the most common data access, use, storage
and transfer scenarios

• Some engagements may require additional or different protocols based on services being delivered, client contractual
requirements etc. In such cases you should identify and follow engagement specific protocols for managing CI

• Guidelines for handling Protected Health Information (PHI) are based on HIPAA regulatory requirements and therefore
must be followed

• The appropriate safeguards corresponding to engagement methods of CI access, use and storage, and transfer should
be implemented on your engagement and all engagement team members should be educated on these CI safeguards
and requirements
What Do You Need to Know About CI?

What is Confidential Information?

How should you safeguard Confidential Information?

What should you do in the event of a Confidential Information Incident?

Where can you get help or more information?

What is Confidential Information?

7
 Module 1: What is Confidential Information?

By the end of the module, you should be able to:

− Recognize the background and impe rative for the Epic Access Agreement

− Identify the different types of Confidential Information

− Recognize important handling requirements associated with specific types of Confidential
Information

8
What is CI?
Competitive Intelligence
Information about an entity’s
products, customers or competitors,
or any aspect of the competitive
environment
• Merger and acquisition
information, products, markets,
pricing, or business plans
Intellectual Property (IP)
Creations of the mind for which
exclusive rights are recognized.
• Methodologies, deliverables, products
and services information, and
software
• May be protected using trade secrets,
trademarks, copyright, and patents
Customer Information
Information about an
organization’s customers
• Usage rates, pricing, sales
pipeline, and marketing
Personally Identifiable Information (PII)
information
Information that directly or indirectly identifies an individual or
that relates to an identifiable person
• Name, address, date of birth, personnel number; purchase
history, photos, or call history
• Government identifiers (SSN), account numbers such as bank
or credit card numbers
Sensitive Confidential Information
Privileged or proprietary information that could cause serious
harm to an entity if compromised
• IPO, forensic investigation, fraud investigation,
restructuring, or bankruptcy; any information client
considers sensitive
Protected Health Information (PHI)
Information that is individually identifiable, health related, and
subject to HIPAA* regulations
• Medical records, diagnosis, treatment information, health
Financial Information
status
Information about an entity’s
• Health insurance records or claim payment information
finances
• PHI is PII that is health-related and maintained by or on
• Salary information or other
behalf of a medical provider (hospital, pharmacy, doctor) or
non-public financial
a health insurance plan
information
*Health Insurance Portability and Accountability Act
Certain Types of CI Require Special Care

Personally Identifiable Information (PII) • Use minimum necessary

• Avoid storing on Deloitte

Protected Health Information (PHI)
laptops or infrastructure
All PII and Financial
• NEVER transmit via or Information must be
Special Handling PII (SH-PII)
store on a PERSONAL encrypted if emailed
• Includes first name/initial and last name plus: EXTERNALLY
DEVICE
– SSN Number
– Drivers License # or Government ID # • Watch for client
– Credit card or bank account # and
requirements which may PHI, SH-PII and
security codes Sensitive PII must be
further restrict:
– Credentials/Log-in information encrypted if emailed
• Access INTERNALLY
Sensitive PII
• Includes PHI, as well as information about
• Storage and
racial or ethnic origins, political opinions, transmission
religious or philosophical beliefs, trade union • Offshore access
membership or sexual orientation

Financial Information
Other Types of CI Also Require Safeguards
This includes information with strategic significance to Clients, Deloitte or Third Parties

Intellectual Property
• ENCRYPTED attachments are
• Trade secrets, policies and/or procedures and RECOMMENDED for highly sensitive
technological advances information

• Do not share information heard in

Competitive Intelligence meetings with those outside the team
• Knowledge of acquisitions or divestitures
• Do not reuse engagement deliverables for
any other purpose
Customer Information
• Do not share competitor information
• Customer lists learned at a previous client or from a
former employer

11
Confidential Information Safeguards
 Module 2: Confidential Information Safeguards

By the end of the module, you should be able to:

− Recognize the background and impe rative for the Epic Access Agreement

− Identify the CI leading practices for Data Access, File Sharing and Collaboration, Email
and Data Destruction
− Explain special requirements for Cloud Collaboration and Testing and AMS Support
− Articulate CI requirements for subcontractors
− Define other types of CI safeguards for special situations
CI Access
DO
 Limit access to the minimum CI necessary
 Limit access to only key Team Members with
a business need – NOT the whole team
 Limit the data elements that are viewable
 Track access to systems CI especially if
PII/PHI is involved
 Use only approved machines (e.g. Deloitte
or client) to access CI
 Use strong passwords (10 characters,
Upper/Lower Case and Special Characters)
DO NOT
× Do not download attachments with CI to a
smartphone / tablet
× Do not use personal / home / spouse devices
× Do not share system passwords or logins –
even with team members who may have
access to that system
× Never share, post or email login credentials
or passwords
× Don’t access via non-trusted connection or
via a browser on your phone
14
CI Storage and Collaboration
DO DO NOT

PII / PHI
 PHI must be remain on client infrastructure or Never STORE PHI or PII on:
be stored in a Secure Repository
× Deloitte laptops or portable devices
 PHI on laptops must be WinZip encrypted
× Deloitte SharePoint, ShareFile, OneDrive/Teams

× Deloitte network drives

Any CI
 Use approved Deloitte or Client sites only Never use:

 Understand potential contract restrictions × USB drives or other external drives/devices

 Limit storage to minimum necessary × Home computers or other personal devices

 Store one copy of CI centrally when possible × Third Party/Personal sites and tools

× Do NOT share CI data in Incidents/Tickets on

ticketing tool for HC as a Service engagements

15
Cloud Collaboration
Deloitte Tools are GENERALLY APPROVED, but…
Some Accounts / Engagements have restrictions
Client cloud tools are NOT automatically approved.
Some of them may be restricted and require
additional safeguards
Personal/Unapproved Third Party cloud tools are
NEVER PERMITTED
• Understand if you have contract restrictions (data
residency or cloud)
• Understand the type of data you will store - approved
use varies by type of data
• Work with your CI Industry Lead and QRM to confirm
appropriate contract language
• Obtain a formal exception for use of restricted tools
• Implement safeguards:
• Client should manage access
• Segregate access to client and Deloitte
• Upload only materials related to this client
• Do not post Deloitte internal files or IP
• Submit a support ticket and/or contact your local
Technology walkup for guidance on approved tools
16
Email and Encryption
DO DO NOT

PHI & most PII must be encrypted

 Avoid emailing or use client email if available × Do not transmit without encryption

 You must encrypt if Deloitte email is necessary

 WinZip encryption or SFTP is required

Other CI may require encryption as well

 Send in an attachment, rather than email body × Never email any type of CI via or to a personal
email
 Encrypt the attachment and send password
separately through different medium × Never forward content you haven’t reviewed

 Clear email auto-fill list to prevent sending to × Do not auto-forward emails from a client
unintended recipients account to Deloitte account

 Always check recipient lists for accuracy

17
Physical Safeguards
DO DO NOT

Laptop/Desktop/Other Devices

 Position laptops so that client data is not
visible to unauthorized personnel
 Use a privacy screen
 Lock your computer (CTRL-ALT-DELETE)
when you walk away. Don’t change default
(10 min)
× Do NOT leave your laptop unattended
× Never leave your laptop or other devices in checked
luggage, unless required by local security
× Do NOT use personal/home/spouse/public
computers to access CI

Work Environment

 Use conference rooms, phone rooms, or offices × Do not discuss the client in public spaces such as
coffee shops or airports
 Maintain a clean desk policy
× Do not share badges and/or entry passwords
 Remove CI and erase whiteboards after with team members
meetings

 Keep doors to restricted areas locked

18
Other Safeguards

• Avoid printing CI whenever possible. Use SecurePrint if printing is necessary

• Hand deliver if you need to transport
Hard Copy CI • Store hard copy CI in locked file cabinets and remove CI after meetings in conference
rooms
• Use locked shred it containers to dispose

• Verify that Privacy Data or other sensitive CI is not included

Screenshots
• Do NOT conduct training or a demonstration from a system housing live production
Deliverables data
Demonstrations • Do not take pictures of CI
• Do not screen share PHI/PII when presenting on a call

Publicity • Verify that the client and contract approve before sharing qualifications
Qualifications • Obtain leadership approval prior to creating any publicity related to your client

19
Testing and AMS Support
You may access to CI in a
number of scenarios
• You may view PII/PHI on a
screen or discuss it with a
customer
• The Client may email you a
screenshot containing CI to
resolve an issue
• You may come in contact
with sensitive data as you
resolve a ticket
• You may need to use
real/production data to
recreate and resolve an
issue with a data load
Safeguards
Access
• Remember that PII/PHI is still sensitive, even if just viewed, spoken or heard
• Do not share with others who are not authorized
Sharing and Collaboration
• If you need to share screenshots, sharing within the client environment is
preferred (i.e. exchange via client SharePoint)
• Do not store test information containing PII/PHI on a Deloitte SharePoint,
ShareFile, OneDrive or Teams site
Email
• If the client must email a screenshot client email is preferred
• PHI/PII must be encrypted
• Do not forward emails and NEVER AUTO FORWARD
• Delete as soon as you are done
20
Requirements for Subcontractors

• Subcontractors must use Deloitte or client laptops

• If subcontractor HAS NOT been onboarded through Talent, visit the CWS page. Choose “Deloitte laptop
provided” in the Access and Setup Requirements section
Device Usage
• If subcontractor HAS already been onboarded, go to nearest Deloitte office and work with the
TSS Site Manager to provision a laptop 

• Do not access client or Deloitte email from personal mobile devices

Training • Complete Commit to Confidentiality course as required by CWS and follow CIMP

• Subcontractor profiles must be restricted to access only the minimum CI required per
Access the contractual agreement

Contractual
• Meet all contractual requirements, including BAA (if access to PHI)
Obligations
21
Data Retention and Destruction
DO DO NOT

Retain

Archive required documents in eDRMS2 Do not retain CI at the end of an engagement

 Official records × Deliverables are client property

 Information subject to a Preservation Notice (aka × Deloitte IP is Deloitte property

legal hold)
 Anything on your laptop must be cleansed Destroy

Everything else must go!

 Permanently delete files on your laptop and in
email
 Shred hard-copy information

22
CI Incidents
 Module 3: Confidential Information Incidents

By the end of the module, you should be able to:

− Recognize the background and impe rative for the Epic Access Agreement

− Define examples of CI Incidents

− Articulate the difference between a Device Incident and Non-Device Incident
− Describe the steps to take in the event of a potential CI incident
What Should You Do in the Event of a CI Incident?

What Constitutes a Report POTENTIAL

Confidential Information Incident? Confidential Information Incidents ASAP

Lost, stolen or compromised:

• Call 1-800-Deloitte or submit via Online
• Laptop
Incident Reporting Tool
• Phone / PDA
Device • Tablet • 1-800-Deloitte can be used for any incident
Incidents • USB, CD/DVD, External Drive
• Online tool is for Non-Device Incidents only
• Badge or Token

Includes Deloitte, Client and Third Party Devices • Alert Engagement Leadership

Inappropriate use, access, storage or transfer: • Submit online incident report

• Misdirected email/text/call containing client
Confidential Information • Complete next steps as instructed depending on
• Wrong file attachment sent the nature of incident
Non-
• Client send us PHI/PII we do not require
Device
Incidents • Lost/stolen work papers containing
Confidential Information
DO NOT communicate with the client or others
• Notes left in a taxi cab
• System errors that lead to inadvertent
who do not need to know
disclosure of Confidential Information
Tips and Reminders to Avoid CI Incidents

Email is a leading source of incidents

• Use encrypted attachments for anything that would wreak havoc if in the wrong hands

Expect the unexpected from the Client

• Clients may send information our teams don’t need or are not authorized to have
• CI may be hidden in embedded files, worksheets, or pivot tables and shared without knowledge

“What happens in Vegas, stays in Vegas”…the same goes for the Client
• What you may consider common knowledge may be client sensitive
• Resist the urge to divulge too much

There are no points for creativity

• Access, store, and transfer CI via approved methods only. Deadlines are not excuses
• Never use Third Party or personal devices, email, collaboration, storage or tools for Deloitte or Client CI

Don’t be a hoarder
Documents saved for future reference must be 100% cleansed

26
Team Member Requirements
When joining an When leaving an
engagement engagement

1 Keep “My Compliance Dashboard” up to date 1 Comply with CI policies

• Make sure that “My Compliance Dashboard” is up to date for • Archive Deloitte official records according to applicable
all Confidentiality and Privacy (or equivalent) requirements retention policies and(or) contractual requirements as
appropriate

2 Complete required training 2 Permanently delete CI

Today’s training will
• Complete any required Deloitte CI Training (HC as a Service review CI • Delete all other electronic files no longer in use from Deloitte
CI Training or Engagement-specific CI Training if required) machine and Outlook folders as well as any other removable
requirements that are
media
NOT CLIENT-
3 Follow Client-specific procedures SPECIFIC 3 Permanently destroy hard copy documents
• Understand the key confidentiality contract terms and Your engagement • Shred all hard copy documents that contain CI or return
conditions relevant to the engagement them to the client as appropriate
may have additional
CI requirements
4 Implement CI Management safeguards 4 Revoke access to client systems
• Comply with all specific data protection policies and • Request access to be removed to any client system, or e-
procedures as noted in the above trainings Room/SharePoint site related to your engagement

5 Complete Client specific trainings 5 Return client assets

• Complete any Client-required training if required and • Return access ID/Laptop/VPN token to the clients building
understand security standards when you are no longer working on client engagement
More Information
 Module 4: More Information

By the end of the module, you should be able to:

− Recognize the background and impe rative for the Epic Access Agreement

− Identify additional resources and know where to find answers to CI questions

Where Can You Get Help or More Information?

Account / Engagement Consulting Office of Confidentiality and Privacy: Industry Contacts

Leadership
Consulting CI Program Champion Cindy Nutini

Consumer Uma Iyer

Account Risk Manager
Energy, Resources & Industrials Monika Rolo

Financial Services Roman Coleman

Life Sciences & Health Care Roberta Puffer Blaseos

Technology, Media and Telecom Matthew Blackmon

Consulting CI Program Website

CI How DO I…?

Report a CI Incident Share Files and Collaborate

• Lost or stolen laptop or other device? Call 1-800-DELOITTE Approved File Sharing and Collaboration Tools
• Non-Device incidents: Click here to report OR call 1-800-DELOITTE Approved Encryption Tools
• Complete online incident report Secure File Transfer
• Non-Device: Schedule Consultation call within 24 hours. Include: Tips for safer emails (video instructions for email auto delay and e
• Leadership and Team Members as appropriate to explain incident mptying/disabling Outlook auto complete)
• Your Engagement Risk Manager
• US OCP Incident Response Team: Sandy D’Souza or Lauren Bazri/
Sarah Raimundo
• Consulting OCP: Cynthia Nutini (Consulting CI Champion) and
Consulting CI Industry Lead Obtain a Client Cloud Exception
• Office of General Counsel (OGC): Gregg D. Smith or Keith Apple
Link to CCO mailbox for exception
• Information Technology Services (ITS): Joe Guckiean (if documents must
be deleted from Deloitte email or infrastructure)
For more information: Cloud Storage Controls

Respond to Clients
Review Deloitte Policies Related to CI Client Inquiry and Response Support
Deloitte Information Security Statement
Confidentiality of Client Information (DPM 10240) Deloitte’s Approach to Confidentiality – An Overview for Clients
(approved for external use)
Electronic Communications (APR 208)
Proprietary Information (APR 223)
Information Security Policy (APR 310) Manage Records
Consulting Records Management
Records Management and Retention (APR 601) Access eDRMS 2
Privacy Policy (APR 910)
Laptop Security Policy (APR 340)
Identify My Consulting Risk Manager
Find your Consulting Risk Manager
31
Appendix
Personally Identifiable Information (PII) is one of the most sensitive types of CI

Information that may directly or

indirectly identify an individual or that
relates to an identifiable person
Personally Identifiable Information (PII)
Examples include:
• Government identifiers (SSN),
Information that may directly or indirectly identify an individual
Personally Identifiable bank or credit card numbers
or that relates to an identifiable person
Examples include: Information (PII)
• Government identifiers (SSN), bank or credit card • Address, date of birth,
numbers personnel number
• Address, date of birth, personnel number
• Photography, or video identifiable to an individual • Photography, or video
identifiable to an individual

33
What Is CI?
Two types of PII require special care
Special Handling PII (SH PII)
Special Handling PII includes an individual’s first name or first initial and last name and one or more of the
following:
• Government identifiers such as Social Security numbers, driver license numbers, or state ID numbers
• Financial account numbers or credit or debit card numbers in combination with any required security code,
access code, or password to access a person’s financial accounts
• User names or email addresses in combination with passwords or security question answers that would
permit access to online accounts

Protected Health Information (PHI)

PHI is a type of PII that includes information transmitted or maintained in any form or media by a HIPAA*-
covered entity that identifies an individual or with respect to which there is a reasonable basis to believe the
information can be used to identify an individual.
Examples include:
• Medical records, diagnosis, or treatment information
• Health insurance records or claim payment information
• Smoking status
* HIPAA stands for Health Insurance Portability and Accountability Act. HIPAA specifies requirements for Privacy
and Security of PHI

If Special Handling PII or PHI is lost or disclosed to unauthorized parties, then a data breach may result if the information
is not appropriately encrypted
PHI or “PHI-like” Information
If data is individual specific, health-related, and from a Covered Entity, it is PHI
Individually
Health related Protected Health Information (PHI)
Identifiable
Data must come
from a Covered

+ = PHI
Entity or Business
Associate to be
PHI or PHI-Like

• Names, including initials
• Street address, city, county, precinct, Zip
or equivalent codes
• Dates
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security Numbers
• Medical record numbers
• Health plan ID numbers
• Account numbers
• Certificate license numbers
• Vehicle IDs, license, and serial numbers
• Device ids and serial numbers
• Web address
• Internet IP address
• Biometric identifiers, including finger &
voice prints
• Full face photographic images
• Any other unique identifying number,
characteristic or code
Information relating to physical or mental
health or condition, the provision of health
care, or payment for the provision of
healthcare, such as diagnosis, treatment,
payment, or health insurance information
• May be in the past, present or future
• May exist in any form:
 Electronic
 Paper
 Viewed on a screen
 Verbal
• Includes but is not limited to:
 Diagnosis
 Treatment
 Payment
Covered Entities include:
• Hospitals
• Health plans, including health, dental, vision, and prescription drug insurers,
• Health maintenance organizations (“HMOs”),
• Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers
• Long-term care insurers
Certain types of entities are NOT considered covered entities, such as:
• Entities providing Workers Compensation, Auto or Property and Casualty
Insurance
• Government-funded programs, such as food stamps or programs making
health care grants or providing community health services
Business Associates are persons or entities that perform certain functions or
activities that involve the use or disclosure of PHI on behalf of a Covered Entity
or provide services to a Covered Entity. Deloitte is a Business Associate when
we work with a client who is a Covered Entity. Likewise, Deloitte’s
subcontractors and those of our clients may also be Business Associates if we
are handling or accessing PHI
Safeguards for Offshore Access to PHI
Onboarding
• Complete HIPAA training on regulations for handling PHI required
as part of onboarding process. Annual recertification.
• Complete Onboarding Checklist
Data use and storage
• For machines that are operating in the clean room environment:
• Block Deloitte’s Secure Print functionality from machines
• Disable printer access to protect transfer of PHI data
outside of encrypted system / VDI
• Disable collaboration tools like Snag It, Snipping Tool,
Lync, Skype, WebEx etc.
• Disable media utilities like camera (if present on
machines)
• Disable Microsoft Windows functionalities like
Function+Print Screen / Function+ALT+Print Screen
• Disable USB ports
• Remove Microsoft Office suite of tools
• Disable OneNote screen clipping functionality
• External storage drive write capabilities disabled on
computers
• Copy/Paste will be deactivated to/from the VDI machine
• Assign a dedicated shredder for destruction of any materials that
must be printed
Offboarding
• Conduct DLP scans of laptops and desktops at offboarding or
project close to confirm that no PHI or other sensitive data was
stored
• Data Manager confirms that all Offboarding steps (standard and
Offshore) have occurred (rather than relying on practitioner)
• Complete Offboarding Checklist
Data transfer
• Implement a Data Loss Prevention (DLP) ruleset to monitor data
movement and exfiltration of PHI, as well as to provide a failsafe
to block or monitor copy/print/download activity. DLP rule set
required on Deloitte laptops; may be optional on clean room
desktops pending other controls
• Restrict Deloitte Outlook including Webmail to protect transfer of
PHI data outside of encrypted system
• Allow only client account webmail via VDI (or Remote Desktop)
to enable electronic communication and status reporting
purposes.
• Remove Microsoft Office suite of tools (to protect transfer of PHI
data outside of encrypted system)
• Avoid emailing PHI whenever possible, Any PHI that must be
transmitted via email should be sent via client email address and
must be sent in an encrypted format
Data access
• Access PHI ONLY from a client or other designate secure facility. Any
exceptions require QRM/OCP approval
• No remote access to the client environment is permitted outside of the
client or security facility
• Provide role-based access to client data. Limit access to PHI to as few team
members as possible.
• Maintain detailed access control log (ACL) to track team member access to
client systems and PHI. Require dual / MFA to access client systems
• Access client systems through Citrix/Remote desktop/VDI only
• Remove administrator privileges (if present) from user account/s on
desktop/s to confine any changes to software installations and User Access
• Activate administrator-controlled password enabled screen time-out and
Windows Screen Saver settings to avoid unintended system intrusion
• Access block to all websites (including Deloitte sites)
• Block internet for users/testers who will have to access unmasked data
• Any exceptions to allow remote access to client system (such as for 24/7
support) must be defined in the contract
Physical safeguards
• Work is performed in a high security facility (building and “Clean
Room”). :Clean room is on a secure floor within a secure building
• Only authorized engagement team members are allowed inside
the “Clean Room”. Controls include:
• Restricted badge access
• Guard at the door
• Sign in/sign out
• Visitors are escorted and logged
• 24x7 Video surveillance
• No access to the client environments is permitted outside of the
“Clean Room”
• No camera-enabled smart phones, PDAs, tablets allowed
• Printing only on color paper allowed (If needed)
• Use desktops and restricted laptops only to access client data.
• Restricted laptops include the following controls:
• External media/USB disabled
• No camera/Collaboration tools/Printing disabled
Security Threats

Situations Associated safeguards

• Approach emails with caution when they contain email attachments or

external links – validate the sender address and email context
• Emails from unknown sources, soliciting information should be avoided and
reported using Deloitte’s spam reporting plug-in within MS Outlook

Phishing • Do not email sensitive information, including PII, PHI, usernames, and
passwords
attacks • McAfee Antivirus should be up to date according to Deloitte policies
• Deloitte standard laptops are maintained according to the Deloitte Information
Security Statement

• Approach emails with caution when they contain email attachments or

external links – validate the sender address and email context
• Emails from unknown sources should be avoided and reported using Deloitte’s
spam reporting plug-in within MS Outlook
Malware and
• Software installation on laptops should be in line with project needs and/or
virus infections Deloitte approved catalog
• McAfee Antivirus should be up to date according to Deloitte policies
• Deloitte standard laptops are maintained according to the Deloitte Information
Security Statement
CI Storage Quick Reference Guide
This table represents leading practices. However, some engagements may have more stringent
requirements due to contractual or other client requirements
Methods PHI and SPI Other PII Other CI
Client Systems/Environment PREFERRED PREFERRED PREFERRED

Client SharePoint, ShareFile or other Client Storage PREFERRED PREFERRED PREFERRED

Client laptop OK OK OK

Deloitte laptop   If necessary

Deloitte mobile phones or iPads   

Deloitte SharePoint  OK OK

Deloitte OneDrive for Business or Teams   Depends on contract

Deloitte ShareFile   OK

Deloitte eDRMS/eDRMS2 (Official records or documents to be retained) OK OK OK

Deloitte network drive   

Deloitte Third Party Hosting (AWS or other Deloitte hosted environment) Consult with OCP if required

Deloitte or Client Secure FTP Consult with OCP if required

Personal or mobile computing devices (PDA, iPhone, iPAD, etc.)   

External media (USB, CD, DVD)   
Third-party email or cloud collaboration
(Hotmail, Gmail, Dropbox, Google Drive, etc.)
  

Visit Approved File Sharing and Collaboration Tools page on DeloitteNet for approved tools and current rules of use