• Download Checklist

  • Checklist for Information Security in the Initiation Phase of Acquisitions

• 1. Background

  1. This document is created to best serve the parishes within the Diocese of Paterson and have quick and easy checklist to be used as starting place to ensure security within the cloud environment. This document is intended to be used as a starting step to ensure security within cloud services. It is important to note that this is a living document, and it will be broad in order to cover just the minimum requirements to ensure that the security of a cloud is created but in no way should this be used as a definitive list ensure security/compliance.

• 2. Instructions

  1. This checklist is divided into sections. The minimum baseline requirements must be met by all parishes using the cloud environment, and the other tables must be met in order to ensure that all compliance is obtained. Please use the table below in order to see if it is required to use additional checklists.
  2. The checklist can be used with other types of guidelines or checklists, if appropriate or needed. In order to successfully complete this checklist, each question below must be addressed in coordination with all members of the local parishes that are going to be under the cloud service’s administrative control. If updates to this checklist are required due to lack of instructions or ambiguity, please email the technology department for more help.

• Baseline Security Checklist

  Generic
  Minumum password rules (at least one capital letter, minimum password length, and preferably a symbol, expiration time)	□ Yes
  Enable auto update for apps and internet browsers	□ Yes
  Turning o mass data download	□ Yes
  Control access to Google core services	□ Yes
  Disabeld activity controls	□ Yes

   

  Administrator Account
  Require MFA verification for admin accounts	□ Yes
  Use security keys for 2-step Verification (google authenticator)	□ Yes
  Admins should add recovery information to their account (recovery phone number or email)	□ Yes

   

  Super Admin Account
  Create additional super admin account	□ Yes
  The admin needs to verify DNS ownership of the domain. You should keep account information and DNS credentials in a secure place in case they are needed for super admin account reset. Note this must be stared in a secure location with a minimum distance away from the original source.	□ Yes
  Training for super admin accounts: □ Don't use a super admin account for a daily activities □ Don't stay signed into a super admin account □ Use non-super admin accounts for daily admin tasks	□ Yes
  Enroll a spare security key	□ Yes
  Save backup spare security key ahead of time. Note this must be stored in a secure location with a minimum distance away from the original source.	□ Yes

   

  Regular Accounts
  Require 2-Step Verification for users	□ Yes
  Password reuse prevention	□ Yes
  Set up admin email alerts	□ Yes
  If the alerts aren't going to be read, make sure to send them to a person who will read them through a new account and auto forwarding or a service	□ Yes
  Add user login challenges (verification codes)	□ Yes

   

  Google Workspace Specific
  Authenticate email with SPF, DKIM, and DMARC	□ Yes
  Set up inbound email gateways to work with SPF	□ Yes
  Enforce TLS with your partner domains	□ Yes
  Require sender authentication for all approved senders	□ Yes
  Configure MX records for correct mail flow	□ Yes
  Disable IMAP/POP access	□ Yes
  Disable automatic forwarding	□ Yes
  Don't bypass spam filters for internal senders	□ Yes
  Enable enhanced pre-delivery message scanning	□ Yes
  Enable external recipient warnings	□ Yes
  Enable additional attachment protection	□ Yes
  Enable additional link and external content protection	□ Yes
  Enable additional spoofing protection	□ Yes
  Scan and block emails with sensitive data	□ Yes

   

  If using Gmail, Calendar, Drive, Docs please continue below
  Turn on enhanced pre-delivery message scanning	□ Yes
  Turn on additional malicious file and link screening for Gmail	□ Yes
  Make sure email recipients don't mark your email as spam (can be done by setting up the Sender Policy Framework)	□ Yes
  Restrict calendar sharing with people outside your company	□ Yes
  Limit who can see newly created files	□ Yes
  Warm users when they share a file with people outside your company	□ Yes

• Baseline Security Checklist

  Vault (DLP/Data Retention)
  Treat accounts with Vault privileges as sensitive	□ Yes

   

  Mandatory Monitoring
  Review the Admin audit log	□ Yes
  Review your security settings and investigate activity	□ Yes
  Review the Admin audit log	□ Yes

   

  Compliance Mandates
  Follow the Incident response plan in case of a breach. https://chancery.rcdop.org/cyber-incident-reports	□ Yes

   

  Case Specific
  Verify it's you challenge for drive/file sensitive data	□ Yes
  Create security keys for logins on super admins and don't use these accounts so often	□ Yes
  Restrict sharing outside of more secure apps	□ Yes
  Enable HIPAA	□ Yes
  (Must be TLS 1.3 for transit and encrypted at rest)	□ Yes
  All data must be under some sort of access management that is audited regularly	□ Yes

• Baseline Backup Checklist

  Religious and Sacramental Records	Minimum Retention
  Baptism, Reconciliation, Communion, Confirmation, Holy Matrimony, Holy Orders,  and Funeral records	Permanent
  Financial Records	Minimum Retention
  budgets invoices donation logs Vendor contracts and agreements	7 years
  Employee Records	Minimum Retention
  contracts evaluations payroll info	Permanent
  School Records	Minimum Retention
  Transcripts / Report Cards Attendance Registers Cumulative Records Census Records Annual Financial Report	Permanent

• Medical Records

  Student Health Records	Minimum Retention	Regulations/ Notes
  Nurse visits Allergies Chronic condition logs Screenings (vision/hearing)	7 years after student leaves	FERPA
  Immunization Records	Minimum Retention	Regulations/ Notes
  Vaccine documentation (school entry compliance forms)  MMR TDaP COVID	Permanent	FERPA
  Medication Administration Records	Minimum Retention	Regulations/ Notes
  Daily logs of medications given at school  insulin,  ADHD medications Prescription medications	7 years	FERPA
  Incident/Injury Reports (Students)	Minimum Retention	Regulations/ Notes
  Reports of accidents on school grounds nurse or staff notes witness statements	7 years	FERPA
  Confession or Spiritual Direction Notes	Minimum Retention	Regulations/ Notes
  	N/A	Canon Law absolutely prohibits recording the content of confessions in any form — written, digital, or otherwise.
  Consent Forms for Treatment	Minimum Retention	Regulations/ Notes
  Parental/student consent for flu shots Counseling Emergency care	7 years	FERPA
  HIPAA-Covered Records	Minimum Retention	Regulations/ Notes
  Mental health counseling Medical clinic visits Physical therapy	6 years from creation or last use	HIPAA
  Special Education Health Records	Minimum Retention	Regulations/ Notes
  IEPs 504 Plans	7 years	FERPA

  
  

• HIPAA

  Google workspace compliance
  Go to https://admin.google.com/ac/companyprofile/legal and accept the cloud data processing addendum and the HIPAA Business associate amendment	□ Yes

• COPPA

  Understanding requirements
  By law we cannot keep information for longer than reasonably necessary. Do we have any plans in place to ensure this?	□ Yes
  COPPA also requires us to securely dispose of the data once we no longer need it. Do we have a plan in place to ensure this?	□ Yes
  By law COPPA requires us to ask for parental permissin (and collect consent) before we collect data, and we cannot enforce a rule to require the collection of this data. Do we have a plan in palce to ensure this?	□ Yes
  By law COPPA requires us to disclose the information we are collecting about their children. Do we have this enabled?	□ Yes
  By law we must have our privacy policy linked to the page where we collect this data. Do we have this?	□ Yes
  By law id the parents do not provide consent within a reasonable time, we must delete this data. What is your specific plan for this case?	□ Yes

   

  Understanding requirements	To give voluntary notice to a parent about their child's participation on a site or service that doesn't collect personal information
  By law we must tell parents you collected their online contact information to let them know about their child's activities on a site or service that doesn't collect personal information. What is your specific plan for this case?	□ Yes
  By law we must tell them their online contact information won't be used for any other purpose. What is your specific plan for this case?	□ Yes
  By law we must tell them they may refuse their child's participation and require that you delete their contact information; and Hyperlink to your privacy policy. What is your specific plan for this case?	□ Yes
  By law if we collect information to respond directly to a child's specific one-time request (for example, if the child wants to enter a contest). Do we have a system where we can't use the information to contact the child again and you must delete it after you respond to the request?	□ Yes

   

  Understanding requirements	To respond directly more that once to a child's specific request (for example, if the child wants to receive a newsletter)
  You must tell parents you collected their online contact information to let them know their child has asked to multiple online communications	□ Yes
  You must tell parents you collected their child's online contact information to provide the multiple communications they asked for	□ Yes
  You must tell parents the online contact information won't be used for any other purpose and won't be disclosed or combined with other information	□ Yes
  You must tell parents that if they don't opt out, you may use the child's online contact information for that purpose	□ Yes
  You must hyperlink the privacy policy	□ Yes
  If the collection is needed to provide support for internal operations of your site or service. This includes: Maintaining or analyzing the functioning of the site, Performing network communications, Authenticating users of the site or personalizing content, Serving contextual ads or frequency capping, Protecting the security or integrity of the user or the site, Legal or regulatory compliance, or Fulfilling a child's request under the one-time contact or multiple contact exceptions.	□ I acknowledge that I can't use the information to contact a specific person, including through behavioral advertising, to amass a profile on a specific person, or for any other purpose.
  I understand that this information may be out of date as this is meant to be a living document and as such, I need to go through the website below to ensure all data is up to date and accurate.	□ Yes

• FERPA

  Data Types

  Additional Requirements

  Will/Does this server contain information about minors (under 13)? First and last name; A home or other physical address including street name and name of a city or town; Online contact information; A screen or username that functions as online contact information; A telephone number; A Social Security number; A persistent identifier that can be used to recognize a user over time and across different websites or online services; A photograph, video, or audio file, where such file contains a child’s image or voice; Geolocation information sufficient to identify street name and name of a city or town; or Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described above. If there are any questions, please refer to this link or ask the technology department https://www.ftc.gov/business-guidance/resources/complying-coppa-frequently- asked-questions#A.%20General%20Questions

  Yes, and COPPA

   
  

  Data Types

  Additional Requirements

  Will/Does this server contain any medical records? The provider of an individual or group health plan, a health maintenance organization (HMO), An issuer of a Medicare supplemental policy, A federal or state-funded health program, A multi-employer welfare program, A self-administered, employer-sponsored health plan with fifty or more plan members that pays the cost of medical care or medical items through insurance, re-imbursement, or otherwise? A health care clearinghouse, A billing service, A repricing company, A community health management information system, A community health information system that processes – or facilitates the processing of – health information received from an entity in a nonstandard format into a standard transaction (or vice versa)? A healthcare provider or pharmacy who furnishes, bills, or is paid for health care in the normal course of business – even if it is not the primary purpose of the organization – and who transmits health information in electronic form in connection with a transaction for which a HIPAA standard exists? Create, receive, maintain, or transmit Protected Health Information – in any medium – in the fulfilment of a function, activity, or service for, or on behalf of a Covered Entity? A health information organization, an e-prescribing gateway, or other organization that provides data transmission or data storage services with respect to Protected Health Information? Provide subcontractor services for an organization of the types mentioned above that involve creating, receiving, maintaining, transmitting, using, or disclosing Protected Health Information? If there are any questions, please refer to this link or ask the technology department https://www.hipaajournal.com/hipaa-compliance-checklist/#hipaacompliancechecklist2023

  Yes, and COPPA