Wednesday, November 7, 2012.

Slides:



Advertisements
Similar presentations
FERPA: Family Educational Rights and Privacy Act
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
FERPA: Family Educational Rights and Privacy Act.
Data Classification & Privacy Inventory Workshop
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Boston College Three Best Practice Models for for Student Service Delivery Student Service DeliveryEDUCAUSE October 3, 2002 Rita R. Owens Associate Academic.
New Data Regulation Law 201 CMR TJX Video.
Peer Information Security Policies: A Sampling Summer 2015.
Protecting Sensitive Information PA Turnpike Commission.
Security Awareness Norfolk State University Policies.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Electronic Records Management: What Management Needs to Know May 2009.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
SPH Information Security Update September 10, 2010.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
 Password requirements are being updated to better protect us in today’s environment Longer password – 16 characters minimum (30 maximum) Complexity.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Information Technology Proprietary and Confidential © Copyright 2007 – Peralta Community College District.
Information Security Awareness Training
Payment Card Industry (PCI) Rules and Standards
Moving Towards Information Literacy Through Data Governance
Blackboard Security System
UW-Madison Guidelines for Managing the Records of Departing Employees*
Data Security Policies
Introduction to the Federal Defense Acquisition Regulation
A New Model for Managing Data Security and Privacy
Information Technology (IT) Department
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Information Security Seminar
IT Development Initiative: Status and Next Steps
Security Awareness Training: System Owners
Red Flags Rule An Introduction County College of Morris
Welcome to the FERPA training for Faculty and Staff.
County HIPAA Review All Rights Reserved 2002.
IS4680 Security Auditing for Compliance
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
IT Development Initiative: Status & Next Steps
IS4680 Security Auditing for Compliance
Creating a University IT Service Portfolio
Technology Solutions Cybersecurity Report to the KCTCS Board of Regents March 14, 2019.
Introduction to the PACS Security
Colorado “Protections For Consumer Data Privacy” Law
Information Technology Organization Overview RFP #220-05
Presentation transcript:

Wednesday, November 7, 2012

Create a Comprehensive Information Security Program With Limited Resources Dana German, CTO, Albright College Please complete this simple survey before we begin: http://bit.ly/TqMd2S Tweet Using: #E12_SESS058 November 7, 2012

• 23 states and 19 countries represented • 1,600 day students • 23 states and 19 countries represented • 27% students of color • 4% international students • Full-time faculty: 110 • 12:1 student/faculty ratio

Albright IT Services Technology infrastructure and learning focused technologies Technology training Computer replacement/deployment and support IT Help Desk and Media Services Enterprise applications/business process improvement/reporting Information Security (no dedicated staff)

What We’ll Cover… Core Policies Data Stewardship Framework Data Classification Standard Electronic Procedures for Highly Sensitive Data Enterprise Systems Inventory & Classification Risk Management (Risk Assessment Plans; DR Plans; Vendor Contracts) User Training Other Important Considerations

Survey Results… What’s the status of YOUR information security programs?

Core/Foundational Policies Acceptable Use Policy Administrative Data Management & Access Policy (including Data Stewardship) Data Classification Standard

Acceptable Use Policy Protection of individual user account credentials Protection of institutional computer systems and data Access only to authorized information Software licensing and copyright issues Compliance with federal and state laws and other college/university policies

Administrative Data Management & Access Policy

Administrative Data Mgt & Access Policy The purpose of this policy is to define access, controls and protection of the college’s administrative data. Administrative data maintained by the institution is a vital information asset that will be available to all employees who have a legitimate need for it, consistent with the institution's responsibility to preserve and protect the integrity of the data, and to ensure the privacy of sensitive data. The institution is the owner of all administrative data; individual units or departments have stewardship responsibilities for data domains, or portions of the data.

Administrative Data Mgt & Access Policy Roles and responsibilities of Data Trustees, Data Stewards, Data Users Responsibilities of Data Management Group Data Classification Standard http://www.albright.edu/itservices/policies/index.html

Data Steward Responsibilities Approval of user access and authorization Ongoing annual reviews of security profiles User acceptance/sign-off for system upgrades, enhancements, changes Data integrity and accuracy User training Procedures for safeguarding restricted data

DATA DOMAIN DATA TRUSTEE DATA STEWARD Traditional Undergraduate Admission Data VP for Enrollment Management & Dean of Admission Director of Enrollment & Information Services ADP Admission & Student Data Provost and VP for Academic Affairs Director of the Accelerated Degree Programs Student Academic Data, Course Schedules and Enrollment Data Registrar Housing Data VP for Student Affairs & Dean of Students Director of Housing & Residential Learning Student Affairs/International Students & Community Standards Assistant Dean & Students

DATA DOMAIN DATA TRUSTEE DATA STEWARD Health Services Data VP for Student Affairs & Dean of Students Assistant Dean of Students & Director of the Gable Health Center Finance & Student Accounting Data VP for Administrative & Financial Services Associate VP/Controller ID Card/Access Data ID Card/Dining, Debit Director of Public Safety Senior Accountant Human Resource Data Associate VP and Director of Human Resources Payroll Data

DATA DOMAIN DATA TRUSTEE DATA STEWARD Student Financial Aid Data VP for Enrollment Management & Dean of Admission Director of Financial Aid Advancement/Alumni Data VP for Advancement Director of Advancement Information Systems Athletics Data VP for Enrollment Management and Dean of Admission Director of Athletics Learning Management Systems Provost and VP for Academic Affairs LMS Application Administrator Parent Data Comparative Institutional Data Director, Institutional Research

Data Classification Standard Public Data Restricted Data - By default, all administrative data not explicitly defined as either Highly Sensitive or Public are classified as Restricted Data. Examples of Restricted Data include student grades and faculty/staff salaries. Highly Sensitive Data

Data Classification Standard Highly Sensitive Data: The first name or first initial and last name in combination with: SSN # Driver’s License Nbr or State Issued ID # Credit Card #s Banking Acct #s

Electronic Storage of Highly Sensitive Data Procedure Highly Sensitive Data must not be stored or kept on any non-network storage device or media. Prohibited storage media includes storage on desktop computers, laptop computers, PDAs, cell phones, USB drives, thumb drives, memory cards, CDs, DVDs, local external hard drives and other USB devices, unless specifically approved encryption methodologies have been utilized. Highly Sensitive data cannot be distributed, including via e-mail or e-mail attachment, unless via approved encrypted means. Exceptions to the procedures for the electronic storage of Highly Sensitive Data must be approved by the appropriate division Vice President in consultation with the Chief Technology Officer. Approved exception requests will be documented to ensure the implementation of acceptable data encryption protocols.  

Enterprise System Inventory & Classification Tier (1,2,3) Highly Sensitive? Externally Hosted? PowerCAMPUS 1 Y Dynamic GP Fac/Staff Email N Student Email School Dude 3 Housing Director 2 Network File Shares

Technical Std for Enterprise System Classification, Risk Mgt & DRP If Tier 1 and internally hosted, documented DRP required, with annual testing of plan If Tier 1 and externally hosted, should have DRP described in vendor contract If highly sensitive and internally hosted, documented RA required, with annual RA review If highly sensitive and externally hosted, various vendor contractual requirements

Vendor Contractual Requirements Network Security Data Security Data Storage Data Sharing/Access/Transmission Data Encryption End-of-Agreement Handling Security Breach Obligations/Notifications Audit Review Disaster Recovery

Information Security Awareness Training Institutional Policies Secure Computing Practices Incident Handling

Other Considerations (but there are many more!) Technical standards for backup and restoration Technical standards/procedures for electronic data removal from hard drives Technical standards/procedures for change control Software testing Website/page security checklist Wireless standards Remote access standards

Thank you for attending !! Dana German, CTO, Albright College Phone: 610.921.7225 Email: dgerman@alb.edu Twitter: @dgerman44 Tweet using #E12_SESS058

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.