Information Security and CASA Programs

1

Information Security and CASA Programs

The comprehensive and ever-changing environment of information security poses specific challenges to CASA programs. Unlike other businesses or nonprofit organizations, CASA programs create, collect, access, and store information within several different categories. Each category of information has different security requirements.

Categories of Information

Information security requirements related to the information programs create, collect, access and store come from a variety of entities, including:

 Federal, state and local law (IRS, Secretary of State, FLSA, FMLA, HIPPA, Public Information Act)  Funders (OAG, VOCA, OVAG, United Way, etc.)

 Texas Administrative Code for the Operation of Local CASA/GAL Programs  DPS/FBI

 DFPS

 Texas CASA and National CASA Standards

Category A

Case and Child Information

•Case files •Case Connection •Case correspondence •Medical provider info

Category B

Volunteer Information

•Identifying info

•Background and screening checks •Medical, mental health, family history •Evaluations, reviews

•Dismissal info

Category C

Personnel Information

•Identifying info

•Background and screening checks •Medical/insurance info

•Salary info

•Evaluations, reviews, grievances

Category D

Financial Information

•Accounting and banking info •Annual budget •Annual audit •Salary info •Fundraising info •IRS filings

Category E

Organizational Information

•Nonprofit and legal documents •Board minutes

•Policies and procedures •General correspondence •Promotional and publicity info

2

Risk Management

As programs seek to strengthen their information security policies and practices to ensure compliance with all requirements, an assessment of the level of risk associated with the categories of information and the way that information is created, collected, accessed and stored helps to identify first and critical action steps.

Common Causes of Information Security Breeches

Electronic Security Breech: Inadequate/lost passwords, inadequate virus protection, inadequate firewall and network structure, screen viewing access, inadequate back-up (frequency, on or off site, versioning), mobile device loss, inadequate document destruction, erroneous sharing via insecure channels (email, texting, some cloud applications), failure to deactivate account access

Hard Copy Security Breech: Inadequate secure storage, inadequate access and viewing restrictions, inadequate document destruction

High Risk of

Potential

Harm-Most

Likely to Occur

Electronic security breech all category A Electronic security breech financial account numbers, passwords Electronic security breech all categories B,C

High Risk of

Potential

Harm-Less

Likely to Occur

Hard copy security breech all category A

HIPPA violation resulting in legal

action

Hard copy security breech all categories B,C

Low Risk of

Potential

Harm-Most

Likely to Occur

Electronic secuirty breech category D Electronic security breech category E

Low Risk of

Potential

Harm-Less

Likely to Occur

Hard copy security breech categoriy D Hard copy security breech category E

3

Information Security Issues/Requirements

To begin to address the most pressing information security issues, programs need to understand the specific security laws, rules, regulations, requirements and standards that apply to the different categories of information. The following list is designed to help programs begin to assess the various requirements related to the information they create, collect, access and store. It is not all-inclusive and programs are required to independently assess their own security needs and adapt both policy and practice accordingly.

Category A: Case and Child Information

Agency, Entity or Law: Texas Family Code

Relationship to Local CASA Programs: Texas legal statute that define the rights and responsibilities of CASA programs and CASA advocates, also included in local court Orders of Appointment

Training Required? No Training Materials: NA

Signed Agreement? Yes, court order Audit: No

Summary Requirements:

Confidentiality of files, reports, records, communications, and working papers used or developed in providing services

Agency, Entity or Law: Texas Administrative Code

Relationship to Local CASA Programs: Texas legal statute that establishes the rules for operation of local CASA programs Training Required? No Training Materials: NA Signed Agreement? No Audit: No Summary Requirements:

A volunteer, director or employee may not communicate any confidential information about an individual being served by a local program to a person who is not authorized to know the confidential information

Agency, Entity or Law: HIPPA (Health Insurance Portability and Information Act) Relationship to Local CASA Programs: Federal and state law

Training Required? No Signed Agreement? No Audit: No

Summary Requirements:

Appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form

Reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information

Implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored

4 Agency, Entity or Law: Texas Department of Family and Protective Services (DFPS)

Relationship to Local CASA Programs: State agency that administers Case Connection portal and Automatic Background Check System (ABCS) that provides the Central Abuse and Neglect Registry information

Training Required? Yes Training Materials:

“DFPS Enter Background Check Request-A Step by Step Guide for Designated ABCS Representation” “DFPS Security Requirements for CASA Organizations”

Signed Agreement? Yes

Audit: Possible, no formal or rotational schedule Summary Requirements:

Restricted access to authorized individuals

Establish and maintain oversight and quality assurance around security Maintain authorized user list

Procedure to report security breeches

Electronic copies or storage only on devices encrypted at the disk or device level Prohibition to access via public computers or devices

Virus protection and safety protocol including firewalls, anti-spyware, and anti-adware Paper copies labeled confidential

Document destruction policy

Secure password and password protected screen lock-out Deactivation of access for terminated personnel

*Also applicable to Categories B, C specifically related to Central Abuse/Neglect Registry Check Agency, Entity or Law: National CASA

Relationship to Local CASA Programs: National membership organization Training Required? No

Signed Agreement? No Audit: Self-assessment Summary Requirements:

Electronic case data is backed up on a separate system at least once a week and the backup is off site Established procedures for encrypting confidential email messages sent through public accounts Operational procedures and policies that govern IT systems, software, electronic data and information sharing via electronic media

Operational procedures for document retention, storage and destruction *Also applicable to Categories A, B, C, D, E

Agency, Entity or Law: Texas CASA

Relationship to Local CASA Programs: State membership organization Training Required? No

Signed Agreement? No

Audit: Currently not monitoring for security requirements Summary Requirements:

Electronic case data is backed up on a separate system at least once a week and the backup is off site Operational procedures and policies that govern IT systems, software, electronic data and information sharing via electronic media

5 Operational procedures for document retention, storage and destruction

*Also applicable to Categories A, B, C, D, E

Categories B, C: Background Checks for Volunteers and Employees

Agency, Entity or Law: Texas Department of Public Safety (DPS)

Relationship to Local CASA Programs: State agency that administers fingerprint submission and criminal history information

Training Required? Yes Training Materials:

5 online modules accessed during account setup

“TxDPS Crime Records Service Secure Website: Criminal History Record Information” “FACT Clearinghouse User Guide”

Signed Agreement? Yes Audit: Yes, once every 3 years Summary Requirements:

Restricted access to authorized individuals

Records stored electronically are subject to FBI CJIS Security Policy 5.0

Adequate physical security to prevent unauthorized viewing of records (locked files) Paper records must be stored separately from files accessed by non-authorized users Screen lock after 30 minutes of inactivity requiring password reentry

Secure disposal of records and deactivation of rap back access

Agency, Entity or Law: U.S. Department of Justice, Federal Bureau of Investigation (FBI), Criminal Justice Information Services (CJIS) Division

Relationship to Local CASA Programs: Federal agency database accessed for criminal history information

Training Required? Yes Training Materials:

“Criminal Justice Information Services (CJIS) Security Policy” Signed Agreement? Yes

Audit: Yes, once every two years Summary Requirements: See CJIS Security Policy 5.0

Electronic storage of records requires a dedicated IT staff, encryption software and a file management system dedicated and stored with restricted access

Destruction of electronic information must occur via purging

IT staff must be vetted prior to working on systems where records are stored

Category C: Individual Personnel Information

Agency, Entity or Law: Americans with Disabilities Act

Relationship to Local CASA Programs: Federal law related to employee medical records Training Required? No

Training Materials: NA Signed Agreement? No Audit: No

6 Summary Requirements:

The following records must be maintained securely and separately from employee or volunteer personnel files:

Oral, written, or digital information concerning an employee's mental or physical condition Medical, dental, disability records

Worker’s compensation and medical leave records Genetic information

Health insurance information; and/or information concerning visits or payments to any health care professional, hospital, emergency room, or other type of short- or long-term health care facility

Category D: Certain Financial Information and Records

Agency, Entity or Law: Secretary of State, IRS

Relationship to Local CASA Programs: State and federal law related to nonprofit corporations Training Required? No

Training Materials: NA Signed Agreement? No Audit: No

Summary Requirements:

Records, books, and annual reports of the corporation's financial activity must be made available to the public for inspection and copying at the corporation's registered or principal office during regular business hours

Categories D, E: Financial and Organizational Information

Agency, Entity or Law: Public Information Act

Relationship to Local CASA Programs: State law related open records requirements Training Required? No

Training Materials: NA Signed Agreement? No Audit: No

Summary Requirements:

As a private entity that receives public/governmental funding, CASA programs are subject to open records requests on all information collected, assembled, or maintained pursuant to law or ordinance or in connection with the transaction of official business

This includes all organizational information, including personal communication, in any form or format, including electronic communication sent or received via personal devices or accounts if used for business purposes

This excludes specific case and child information and personnel information

Summary

To reiterate, this is not an exhaustive list of the information security requirements related to any of the agencies, entities or laws listed, or of those not included in this list. In exercising due diligence in meeting security requirements and assessing and mitigating potential risk, it is likely that outside assistance from a legal advisor or IT security professional would be beneficial. Texas CASA will continue to seek and distribute timely information and resources.