Data Protection
_____ data is not regulated and is generally made available through public interfaces and requires no protection mechanisms
What is Public?
The Third Party ________ will adhere to information security requirements relating to USC’s Confidential information assets, as defined by the Data Protection Policy
What Relationship Owner?
The objective of this Policy is to define requirements for the _______ for information security risks at USC.
What is third parties?
______ will map and document network connections and identify key components during network analysis, operations and investigations.
What is Network Owners?
System and Asset Owners should maintain a current inventory of ______ hosted in cloud environments pursuant to the Asset Management Policy.
What is assets?
____ data includes all information used to conduct USC business, unless categorized as Confidential or Public
What is Internal Use Only?
_____ should obtain a Data Security Addendum (DSA) with the third party and consult with the Office of Ethics & Compliance regarding whether a Business Associates Agreement (BAA) is needed for information assets related to Protected Health Information (PHI).
What The Third Party Relationship Owner (TPRO)?
___________ and _________ Governing Bodies will manage known information security risks at a reasonable level as required by the USC Board of Trustees.
what is OCISO and USC Information Risk?
**DAILY DOUBLE**
Any exceptions to policy will be submitted and approved by designated ________.
What is USC leadership?
_______ will have audit plans in place requiring at least annual assessment of the effectiveness of information security measures.
What is Cloud Service Providers?
_____ data is to be used only for Covered Defense Information, which includes ControlledTechnical Information (CTI), Controlled Unclassified Information (CUI),or any other information that has military or space application where the data provider(e.g. research sponsor) has imposed safeguarding or dissemination controls for reasons of national security.
What is Confidential-Controlled?
TPRO will work with ______ to monitor and reassess third party information security practices in a timely manner.
what is OCISO?
System Owners will report identified information security risks to high value assets or assets with Confidential data, as defined in the ______________.
what is Data Protection Policy?
External connections (e.g., third-party connections, remote access) will be approved by _______ and secured with network protection mechanisms.
What is System Owners?
System and Asset Owners will comply with _______ restrictions on data storage, processing, and transmission, including but not limited to regulatory requirements governing the flow of data across borders, international commerce and trade laws, and location-based restrictions on physical and logical access to USC data.
What is geographic?
Data destruction and retention will follow USC’s ___________ Policy and comply with the appropriate use, retention, and destruction practices per that policy.
What is Record Management?
OCISO should monitor and periodically assess third party information security practices for third parties handling Confidential data as defined by this:
What is Data Protection Policy?
OCISO will conduct information security risk assessments of the potential risks and vulnerabilities to the _________, __________, and _________ of high value assets or assets with Confidential information.
what is confidentiality, integrity and availability?
Network and endpoint devices that store Confidential Data, in accordance with the Data Classification Policy, will have information security ________________ enabled, as defined in the Information Security Logging and Monitoring Policy.
What is event logging?
USC information and applications residing in _________ hosting environments will have access restricted appropriately.
What is multi-tenant?
Data Owners are responsible for ensuring the appropriate administrative, physical and technical safeguards are in place when using, storing, ______, or sharing information.
what is transmitting?
**DOUBLE JEOPARDY**
If a third party is engaged prior to a contractual or subscription engagement, relevant purchasing authorities will require that if the information being collected or exchanged is _______ or ________ (as defined in the Data Protection Policy), a binding non-disclosure agreement or appropriate confidentiality language in the contract itself should be in place between USC and the third party.
What is Confidential or Internal Use Only?
System Owners will monitor the effectiveness of security measures designed to reduce _________ __________ risks to a reasonable level, that may be subject to review of ______, Office of Compliance or USC Audit Services.
What is information security and OCISO
Networks, along with related endpoint devices (e.g., department workstations, security cameras, point of sale systems), will be logically or physically segregated into separate logical domains in accordance with what two things?
What is regulations and leading practices?
Access to USC information stored in external cloud environments will be subject to the same access controls as internally, hosted applications and infrastructure as defined in the ______ Policy and the _________ Policy.
What is Access Management and Third-Party Security Risk Management?