Proposed Information Security Policy Changes

Slides:



Advertisements
Similar presentations
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Advertisements

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Basic Data Safety Practices That Can Prevent Malpractice Claims & Ethics Violations Grant County Bar Association June 14, 2011 Kim J. Brand PresidentFounder.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Veni Vidi Vista … I came, I saw … I supported! ResNet Symposium 2007 UC San Diego.
Privacy and Security Risks in Higher Education
Practical Information Management
Electronic Records Management: What Management Needs to Know May 2009.
ESCCO Data Security Training David Dixon September 2014.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.
SPH Information Security Update September 10, 2010.
Project Management Plan HOW TO PROCESS SEARCHES AND NEW HIRE TRANSACTIONS FOR REGULAR FACULTY (HT-REG) Online Course Development Presented to: Dr. Nancy.
STRATEGY SESSION SEPTEMBER 15, YEAR SECURITY DISCUSSION 1 NETWORK PLANNING TASK FORCE.
The Government Recordkeeping Survey 2008 Natalie Dewson, Senior Advisor, Government Recordkeeping Programme, Archives New Zealand.
One-Time Password Specifications (OTPS): Overview, Workshop Agenda, and Process DRAFT – 18 May 2005.
Chapter 2 Securing Network Server and User Workstations.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Robert Ono Office of the Vice Provost, Information and Educational Technology September 9, 2010 TIF-Security Cyber-safety Plans for 2010.
HIPAA Security Final Rule Overview
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.
Encryption as a Preventive Countermeasure Sean Maher, Information Security Coordinator.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
SPC Advisory Committee Training - TAC Fall 2015 Institutional Research President’s Office 1 Abridged from the SPC Advisory Committee Training on October.
SPC Advisory Committee Training Fall 2015 Institutional Research President’s Office SPC 10/9/20151.
Personal data protection in research projects
Catherine Metcalf | Dec U.S. Department of Education 2015 FSA Training Conference for Financial Aid Professionals The FSA ID – Resources for Assisting.
Information Security Everyday Best Practices Lock your workstation when you walk away – Hit Ctrl + Alt + Delete Store your passwords securely and don’t.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
Common sense solutions to data privacy observed by each employee is the crucial first step toward data security Data Privacy/Data Security Contact IRT.
Secure Services Shared Hosted MS Exchange 2010.
IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Protecting PHI & PII 12/30/2017 6:45 AM
Review, Revise and Amend from Procedures for State Board Policy 74
Data Security and Privacy Overview: NJDOE’s Approach to Cybersecurity
Clerks’ Briefing Spring 2016.
Training for Faculty Search Committees
Dr. Sarah Colby, Nutrition Department
Privacy & Confidentiality
Community Session - Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS
Everything You Wanted to Know About Encryption in Just 10 Minutes
The Federal programs department September 26, 2017
COD Institutional Effectiveness Process (IEP)
COMPREHENSIVE PLAN 2017 AMENDMENT PROCESS and DOCKET
President’s Administrative Innovation Fund: Connecting IT Subject Matter Expertise CIO Council Update
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Technology Audit Plan ----BCSY University
Office 365 Security Assessment Workshop
IT Development Initiative: Status and Next Steps
Duo Deployment Project: Update and Communications
Red Flags Rule An Introduction County College of Morris
End of Year Performance Review Meetings and objective setting for 2018/19 This briefing pack is designed to be used by line managers to brief their teams.
Green IT CIO Council Update
EVC Accreditation Update Fall 2017 PDD Thursday, 3/31/17
Summary of the 2018 Winter Meetings
Perkins September 2014.
Why a DIY Directory Program.
Senate Meeting Summary
Unit 2 - Global Information
Recruiting and Onboarding Project
Introduction to the PACS Security
Mobile Registration App Training Guide for OPO Staffers
Mobile Registration App Training Guide for Ambassadors
New Special Education Teacher Webinar Series
TALKING POINTS Introduce yourself
School of Medicine Orientation Information Security Training
Family Educational Rights and Privacy Act of 1974
Presentation transcript:

Proposed Information Security Policy Changes CIO Council | June 27, 2016 | Smith Campus Center

Purpose and Intended Outcome To review with the CIO Council the proposed changes to the Information Security Policy Intended Outcome: Agreement to proceed with the proposed changes, effective 9/1/2016, or an understanding of the concerns that would prevent such agreement

Agenda We will review: The (first) annual Information Security Policy review process and stakeholders Proposed changes to the Information Security Policy as a result of that process The communication, education and training plans in support of the changes Any concerns you have

Information Security Policy review process Background: While we debuted a new Information Security Policy in 2013, we have never had a formal process to review and update this or the previous policy Annual Policy Review Process: Anyone may suggest a change to an Information Security Council (ISC) member [by March, 2016 - COMPLETED] ISC member reviews and suggests to Information Security Steering Group (ISSG) as appropriate [by March, 2016 - COMPLETED] ISSG reviews all suggested changes and recommends updates to Information Security Council (ISC) [April, 2016- COMPLETED] ISC approves changes to How-To’s and agrees to recommend changes to Requirements to CIO Council [April-May, 2016- COMPLETED] CIO Council approves changes to Requirements [June,2016 – IN PROGRESS] Changes are effective September 1, 2016

Summary of Proposed Information Security Policy Changes - 2016 Topic From To Encrypt mobile devices Roundabout implication that mobile devices should be encrypted (“protected against access if the device is lost or stolen”) Clearly stated requirement that mobile devices that store or access Harvard information must be encrypted Level 4 data on user devices Clarify that Level 4 data may be stored on approved encrypted portable media Password complexity All passwords must meet complexity requirements Passwords of more than 20 characters in length have no other requirements Use of HarvardKey Servers or applications with Level 3 or higher data must use HarvardKey Password management Unclear security requirements for systems that manage passwords No special requirements for Active Directory Clarify that systems that manage passwords must meet Level 4 requirements Includes new standards for Active Directory Social Security Numbers Implicit that systems with SSNs must meet Level 4 requirements Four new specific requirements: Reiterate that systems with SSNs must meet all Level 4 requirements Keep SSNs only when required by law Dispose of or archive records with SSNs when not required by law Report location and volumes of SSNs annually Effective as of 9/1/2016 – see full text in attached Microsoft Word document

Policy Communication, Education, and Training Message/Objective Audience Delivery Method Timing Announcement of policy updates and community responsibility to uphold Entire university Email from Provost Alan Garber Beginning of September Local/School support of policy updates School Security Officers Communicator toolkit, e.g. website content, PPT slides How-to explanations for new requirements, e.g. activate encryption on a laptop Security website content Quick Reference Card for classifying, handling, disposing of data Printable job aid posted on Security website Fall 2016 Overview of policy and how to apply it in common use cases Staff and faculty who handle confidential data Online training (Harvard Training Portal)

Questions and Concerns

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.