Presentation is loading. Please wait.

Presentation is loading. Please wait.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Published byKasey Boye Modified over 10 years ago

Similar presentations

Presentation on theme: "Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide."— Presentation transcript:

1 Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide policies to address compliance with contractual, regulatory and statutory requirements related to data integrity, security, and privacy in a heterogeneous, multi-platform IT environment at the Georgia Institute of Technology. Michael Brandon, Director Jaime Galiano, Project Director Georgia Institute of Technology Office of Information Technology – Policy & Strategy

2 © Georgia Institute of Technology, 2004 Copyright Statement Copyright Michael Brandon and Jaime M. Galiano, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3 © Georgia Institute of Technology, 2004 Chef’s Conundrum:

4 © Georgia Institute of Technology, 2004 Background “Recipe Starter” What? –Overhaul of existing Data Access Policy and procedures Why? –New regulatory, statutory, and contractual requirements in terms of privacy protection –Significant increase in information security threats –Minimize risk exposure associated with electronic commerce –Increasing scope and complexity of GT Information Technology infrastructure Why Now? –Contractual and legal compliance deadlines –Policy refreshment long overdue

5 © Georgia Institute of Technology, 2004 Requirements “Allspice” Legal –GLBA: FTC Safeguards Rule –HIPAA: OCR Privacy Rule –FERPA Contractual –Cardholder Information Security Program (CISP) Standards / Best Practices –ISO 17799 –GIT Internal Control Guide –Incident Response Procedures

6 © Georgia Institute of Technology, 2004 Communicating at different levels “ Appealing to the different tastes” Policy Issues Change Management Issues Implementation Strategy Safeguards Issues Implementation details – how? How much? Who?

7 © Georgia Institute of Technology, 2004 Policy Development Committee “Culinary Specialists” Representatives from –Information Security –Internal Audit –Business Office –Office of the Registrar –Human Resources –Enterprise Information Systems (Software Dev.) –Academic Units –Sponsored Programs / Research –Computer Support Representatives –Policy & Strategy –Office of Legal Affairs

8 © Georgia Institute of Technology, 2004 Summary of Activities “Cooking Instructions”

9 © Georgia Institute of Technology, 2004 Deliverables “Soup Servings” Data Classification Category 1 – Public Use Category 2 – Internal Use Category 3 – Sensitive Category 4 – Highly Sensitive Roles Chief Data Stewards Data Stewards Data Coordinators Data Administrators Authorized Requestors Technical Authorities Data Users Procedures Standardized Access Request Form –Three-way certification

10 © Georgia Institute of Technology, 2004 Deliverables “More Servings” Unit-Level Servers hosting sensitive data Deans, VP’s, Associate VP’s: Register w/ OIT IS Direct reviews and respond to technical reports for approved servers Coordinate w/OIT IS to verify security procedures Periodic access control assessments Desktops/Laptops/ Workstations User responsibility Current firewall & anti-virus software must be installed & enabled OS patches must be kept up-to-date

11 © Georgia Institute of Technology, 2004 Data Protection Safeguards “The Spice Rack” Major Safeguard Groupings –Physical Access Control –Information Security Policy –Firewall Protection –Security Patches –Protection of Stored Data –Network Data Encryption –Anti-virus Software –Access Control (need-to-know) –Unique identification (person or system) –System Configuration –Tracking Access by Unique ID –Testing of Security Systems and Processes

12 © Georgia Institute of Technology, 2004 Safeguards by Data Category “Mild or Extra Hot?” Category IV data safeguards are comprehensive and uncompromising; primarily contractual Category III data safeguards designed to meet all legal requirements in terms of “reasonable” protection Category I data mandatory requirements constitute “lowest common denominator” for protecting weakest nodes on network ^ Category = ^ Overhead

13 © Georgia Institute of Technology, 2004 High Impact Implementation Issues “ Heartburn”

14 © Georgia Institute of Technology, 2004 What did we do differently? “Chef’s Corner” Broad representation on Policy Development Committee Combined “Top-down” and “Bottom-up” approaches to policy development Extensive review of, and consensus on, all key deliverables Implementation flexibility to account for current economic and organizational constraints, while still addressing all requirements

15 © Georgia Institute of Technology, 2004 What have we learned? “Adding soup to the menu…” Critical to engage all key constituencies and stakeholders early on Inclusionary approach involves making compromises Need to have (a) clearly-defined sponsor(s) and approval process Communicate early and frequently

16 © Georgia Institute of Technology, 2004 Soup anyone? Mike Brandon Director – OIT P&S Georgia Institute of Technology mike.brandon@oit.gatech.edu Jaime Galiano Project Director – OIT P&S Georgia Institute of Technology jaime.galiano@oit.gatech.edu

Download ppt "Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide."

Similar presentations

Glenn Johnson John A. Dutton e-Education Institute Project Manager, Penn States e-Portfolio Initiative Glenn Johnson John A. Dutton e-Education Institute.

Glenn Johnson John A. Dutton e-Education Institute Project Manager, Penn States e-Portfolio Initiative Glenn Johnson John A. Dutton e-Education Institute.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Copyright Kathy J. Lang and Ed Mahon, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared.

Copyright Kathy J. Lang and Ed Mahon, This work is the intellectual property of the authors. Permission is granted for this material to be shared.
Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman 2004. This.

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
While You Were Out: How Students are Transforming Information and What it Means for Publishing Kate Wittenberg The Electronic Publishing Initiative at.

While You Were Out: How Students are Transforming Information and What it Means for Publishing Kate Wittenberg The Electronic Publishing Initiative at.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
The International Security Standard

The International Security Standard
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.

Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.

Similar presentations

Ads by Google