Beruflich Dokumente
Kultur Dokumente
2
Which of These Actions Could Cause a Confidential Information (CI) Incident?
YES…
Conducting a Client Survey? if you use an unapproved tool and/or the
survey tool gets hacked
YES…
if the hidden worksheets or the
Reusing a cleansed template for a new client? “properties" contain former client
information or names
YES…
Using a Robot to automate the testing process? if the Robot captures, stores or
transmits PHI/PII without
encryption/safeguards
YES…
Storing Client Information on Deloitte OneDrive if the MSA has data residency
or Teams? restrictions
4
Purpose of Today’s Training
• Many of our Human Capital Offerings involve access to and use of Confidential Information (CI) in delivery of services.
Understanding CI risks and protecting CI is critical to successful delivery of these services
• This training provides baseline CI standards and safeguards to address the most common data access, use, storage
and transfer scenarios
• Some engagements may require additional or different protocols based on services being delivered, client contractual
requirements etc. In such cases you should identify and follow engagement specific protocols for managing CI
• Guidelines for handling Protected Health Information (PHI) are based on HIPAA regulatory requirements and therefore
must be followed
• The appropriate safeguards corresponding to engagement methods of CI access, use and storage, and transfer should
be implemented on your engagement and all engagement team members should be educated on these CI safeguards
and requirements
What Do You Need to Know About CI?
7
Module 1: What is Confidential Information?
8
What is CI?
Customer Information
Information about an
organization’s customers
• Usage rates, pricing, sales
Competitive Intelligence pipeline, and marketing
Personally Identifiable Information (PII)
information
Information about an entity’s Information that directly or indirectly identifies an individual or
products, customers or competitors, that relates to an identifiable person
or any aspect of the competitive • Name, address, date of birth, personnel number; purchase
environment history, photos, or call history
• Merger and acquisition • Government identifiers (SSN), account numbers such as bank
information, products, markets, or credit card numbers
pricing, or business plans
Financial Information
Other Types of CI Also Require Safeguards
This includes information with strategic significance to Clients, Deloitte or Third Parties
Intellectual Property
• ENCRYPTED attachments are
• Trade secrets, policies and/or procedures and RECOMMENDED for highly sensitive
technological advances information
11
Confidential Information Safeguards
Module 2: Confidential Information Safeguards
− Identify the CI leading practices for Data Access, File Sharing and Collaboration, Email
and Data Destruction
− Explain special requirements for Cloud Collaboration and Testing and AMS Support
− Articulate CI requirements for subcontractors
− Define other types of CI safeguards for special situations
CI Access
DO DO NOT
Limit the data elements that are viewable × Do not share system passwords or logins –
even with team members who may have
Track access to systems CI especially if access to that system
PII/PHI is involved
× Never share, post or email login credentials
Use only approved machines (e.g. Deloitte or passwords
or client) to access CI
× Don’t access via non-trusted connection or
Use strong passwords (10 characters, via a browser on your phone
Upper/Lower Case and Special Characters)
14
CI Storage and Collaboration
DO DO NOT
PII / PHI
PHI must be remain on client infrastructure or Never STORE PHI or PII on:
be stored in a Secure Repository
× Deloitte laptops or portable devices
PHI on laptops must be WinZip encrypted
× Deloitte SharePoint, ShareFile, OneDrive/Teams
Any CI
Use approved Deloitte or Client sites only Never use:
Store one copy of CI centrally when possible × Third Party/Personal sites and tools
15
Cloud Collaboration
Some Accounts / Engagements have restrictions • Understand the type of data you will store - approved
use varies by type of data
Personal/Unapproved Third Party cloud tools are • Submit a support ticket and/or contact your local
NEVER PERMITTED Technology walkup for guidance on approved tools
16
Email and Encryption
DO DO NOT
Avoid emailing or use client email if available × Do not transmit without encryption
Clear email auto-fill list to prevent sending to × Do not auto-forward emails from a client
unintended recipients account to Deloitte account
17
Physical Safeguards
DO DO NOT
Laptop/Desktop/Other Devices
Position laptops so that client data is not × Do NOT leave your laptop unattended
visible to unauthorized personnel
× Never leave your laptop or other devices in checked
Use a privacy screen luggage, unless required by local security
Lock your computer (CTRL-ALT-DELETE) × Do NOT use personal/home/spouse/public
when you walk away. Don’t change default computers to access CI
(10 min)
Work Environment
Use conference rooms, phone rooms, or offices × Do not discuss the client in public spaces such as
coffee shops or airports
Maintain a clean desk policy
× Do not share badges and/or entry passwords
Remove CI and erase whiteboards after with team members
meetings
18
Other Safeguards
Publicity • Verify that the client and contract approve before sharing qualifications
Qualifications • Obtain leadership approval prior to creating any publicity related to your client
19
Testing and AMS Support
Training • Complete Commit to Confidentiality course as required by CWS and follow CIMP
• Subcontractor profiles must be restricted to access only the minimum CI required per
Access the contractual agreement
Contractual
• Meet all contractual requirements, including BAA (if access to PHI)
Obligations
21
Data Retention and Destruction
DO DO NOT
Retain
22
CI Incidents
Module 3: Confidential Information Incidents
Includes Deloitte, Client and Third Party Devices • Alert Engagement Leadership
“What happens in Vegas, stays in Vegas”…the same goes for the Client
• What you may consider common knowledge may be client sensitive
• Resist the urge to divulge too much
Don’t be a hoarder
Documents saved for future reference must be 100% cleansed
26
Team Member Requirements
When joining an When leaving an
engagement engagement
Respond to Clients
Review Deloitte Policies Related to CI Client Inquiry and Response Support
Deloitte Information Security Statement
Confidentiality of Client Information (DPM 10240) Deloitte’s Approach to Confidentiality – An Overview for Clients
(approved for external use)
Electronic Communications (APR 208)
Proprietary Information (APR 223)
Information Security Policy (APR 310) Manage Records
Consulting Records Management
Records Management and Retention (APR 601) Access eDRMS 2
Privacy Policy (APR 910)
Laptop Security Policy (APR 340)
Identify My Consulting Risk Manager
Find your Consulting Risk Manager
31
Appendix
Personally Identifiable Information (PII) is one of the most sensitive types of CI
33
What Is CI?
Two types of PII require special care
Special Handling PII (SH PII)
Special Handling PII includes an individual’s first name or first initial and last name and one or more of the
following:
• Government identifiers such as Social Security numbers, driver license numbers, or state ID numbers
• Financial account numbers or credit or debit card numbers in combination with any required security code,
access code, or password to access a person’s financial accounts
• User names or email addresses in combination with passwords or security question answers that would
permit access to online accounts
If Special Handling PII or PHI is lost or disclosed to unauthorized parties, then a data breach may result if the information
is not appropriately encrypted
PHI or “PHI-like” Information
If data is individual specific, health-related, and from a Covered Entity, it is PHI
Individually
Health related Protected Health Information (PHI)
Identifiable
Data must come
from a Covered
+ = PHI
Entity or Business
Associate to be
PHI or PHI-Like
• Names, including initials Information relating to physical or mental Covered Entities include:
• Street address, city, county, precinct, Zip health or condition, the provision of health
or equivalent codes • Hospitals
care, or payment for the provision of
• Dates healthcare, such as diagnosis, treatment, • Health plans, including health, dental, vision, and prescription drug insurers,
• Telephone numbers payment, or health insurance information • Health maintenance organizations (“HMOs”),
• Fax numbers
• Email addresses • Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers
• May be in the past, present or future
• Social Security Numbers • May exist in any form: • Long-term care insurers
• Medical record numbers Electronic
• Health plan ID numbers Paper Certain types of entities are NOT considered covered entities, such as:
• Account numbers Viewed on a screen • Entities providing Workers Compensation, Auto or Property and Casualty
• Certificate license numbers Verbal Insurance
• Vehicle IDs, license, and serial numbers • Includes but is not limited to:
• Device ids and serial numbers • Government-funded programs, such as food stamps or programs making
Diagnosis
• Web address health care grants or providing community health services
Treatment
• Internet IP address Payment
• Biometric identifiers, including finger & Business Associates are persons or entities that perform certain functions or
voice prints activities that involve the use or disclosure of PHI on behalf of a Covered Entity
• Full face photographic images or provide services to a Covered Entity. Deloitte is a Business Associate when
• Any other unique identifying number, we work with a client who is a Covered Entity. Likewise, Deloitte’s
characteristic or code subcontractors and those of our clients may also be Business Associates if we
are handling or accessing PHI
Safeguards for Offshore Access to PHI
• Complete HIPAA training on regulations for handling PHI required • Conduct DLP scans of laptops and desktops at offboarding or • Access PHI ONLY from a client or other designate secure facility. Any
as part of onboarding process. Annual recertification. project close to confirm that no PHI or other sensitive data was exceptions require QRM/OCP approval
stored • No remote access to the client environment is permitted outside of the
• Complete Onboarding Checklist client or security facility
• Data Manager confirms that all Offboarding steps (standard and • Provide role-based access to client data. Limit access to PHI to as few team
Offshore) have occurred (rather than relying on practitioner) members as possible.
• Complete Offboarding Checklist • Maintain detailed access control log (ACL) to track team member access to
client systems and PHI. Require dual / MFA to access client systems
• Access client systems through Citrix/Remote desktop/VDI only
• Remove administrator privileges (if present) from user account/s on
desktop/s to confine any changes to software installations and User Access
• Activate administrator-controlled password enabled screen time-out and
Windows Screen Saver settings to avoid unintended system intrusion
• Access block to all websites (including Deloitte sites)
• Block internet for users/testers who will have to access unmasked data
• Any exceptions to allow remote access to client system (such as for 24/7
support) must be defined in the contract
• For machines that are operating in the clean room environment: • Implement a Data Loss Prevention (DLP) ruleset to monitor data • Work is performed in a high security facility (building and “Clean
• Block Deloitte’s Secure Print functionality from machines movement and exfiltration of PHI, as well as to provide a failsafe Room”). :Clean room is on a secure floor within a secure building
• Disable printer access to protect transfer of PHI data to block or monitor copy/print/download activity. DLP rule set • Only authorized engagement team members are allowed inside
outside of encrypted system / VDI required on Deloitte laptops; may be optional on clean room the “Clean Room”. Controls include:
• Disable collaboration tools like Snag It, Snipping Tool, desktops pending other controls • Restricted badge access
Lync, Skype, WebEx etc. • Restrict Deloitte Outlook including Webmail to protect transfer of • Guard at the door
• Disable media utilities like camera (if present on PHI data outside of encrypted system • Sign in/sign out
machines) • Visitors are escorted and logged
• Disable Microsoft Windows functionalities like
• Allow only client account webmail via VDI (or Remote Desktop) • 24x7 Video surveillance
to enable electronic communication and status reporting
Function+Print Screen / Function+ALT+Print Screen
• Disable USB ports purposes. • No access to the client environments is permitted outside of the
• Remove Microsoft Office suite of tools • Remove Microsoft Office suite of tools (to protect transfer of PHI “Clean Room”
• Disable OneNote screen clipping functionality data outside of encrypted system) • No camera-enabled smart phones, PDAs, tablets allowed
• External storage drive write capabilities disabled on • Avoid emailing PHI whenever possible, Any PHI that must be • Printing only on color paper allowed (If needed)
computers transmitted via email should be sent via client email address and • Use desktops and restricted laptops only to access client data.
• Copy/Paste will be deactivated to/from the VDI machine must be sent in an encrypted format • Restricted laptops include the following controls:
• Assign a dedicated shredder for destruction of any materials that • External media/USB disabled
must be printed • No camera/Collaboration tools/Printing disabled
Security Threats
Phishing • Do not email sensitive information, including PII, PHI, usernames, and
passwords
attacks • McAfee Antivirus should be up to date according to Deloitte policies
• Deloitte standard laptops are maintained according to the Deloitte Information
Security Statement
Client laptop OK OK OK
Deloitte ShareFile OK
Visit Approved File Sharing and Collaboration Tools page on DeloitteNet for approved tools and current rules of use