Developing a Data Risk Classification Program

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flag Rules: What they are? & What you need to do
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
Regulatory Issues in Campus Computing Privacy and Security in a Digital World Presented by David Gleason, Esq. University Counsel University of Maryland,
Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.
Developing a Records & Information Retention & Disposition Program:
Informed Consent and HIPAA Tim Noe Coordinating Center.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
Peer Information Security Policies: A Sampling Summer 2015.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Electronic Records Management: What Management Needs to Know May 2009.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
DATA PROTECTION IN THE AGO Christina Beusch Deputy Attorney General WA State Attorney General’s Office.
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
The Evolution, Development & Training of HIPAA Policies and Procedures in a Decentralized Health Care Environment Presented By: Sharon A. Budman, M.S.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
1 PARCC Data Privacy & Security Policy December 2013.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Incident Documentation Campus Security Officer Training.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Key Points for a Privacy Programme for Multinationals Steve Coope.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
The Basics of Protecting Electronic Personal Health Information Greg Nance - CISSP, CRISC, CISA, ITIL Information Security Governance, Risk and Compliance.
Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.
Strategies in the Game of
UNDERSTANDING WHAT HIPAA IS AND IS NOT
Encrypted from CDS Office Technologies
East Carolina University
Data Management, Institutional Reporting, & the Data Cookbook
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Data Security Policies
General Data Protection Regulation (GDPR)
E&O Risk Management: Meeting the Challenge of Change
Risk Management and Compliance
GDPR Awareness and Training Workshop
KEY CHANGES TO THE DATA PROTECTION LANDSCAPE
The European Union General Data Protection Regulation (GDPR)
My First Template.
My First Template.
Chapter 3: IRS and FTC Data Security Rules
IS4680 Security Auditing for Compliance
I have many checklists: how do I get started with cyber security?
Refuah Community Health Collaborative (RCHC) PPS
General Counsel and Chief Privacy Officer
Enterprise Risk Management
State of the privacy union
Information Technology Policy Institutional Data Policy
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
G.D.P.R General Data Protection Regulations
ADVANCING TRUST IN THE CHARITABLE SECTOR CONFERENCE June 12, 2015
IS4550 Security Policies and Implementation
Security Awareness Training: Data Owners
CompTIA Security+ Study Guide (SY0-401)
MBUG 2018 Session Title: NIST in Higher Education
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
HIPAA Policy & Procedure Strategies
Making Your IRBs and Clinical Investigators HIPAA-Ready
Building a Vertical Around Regulated Industries to Increase Your Business
Mayo Clinic Privacy Office
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Peer Cybersecurity Assessments: For and by Higher Education
Security Policies and Implementation Issues
School of Medicine Orientation Information Security Training
Presentation transcript:

Developing a Data Risk Classification Program Presenters: Ben Hartung, Information Security Officer (Fredonia) Symen Mulders, Information Security Analyst (Plattsburgh) (Ben & Symen) Welcome everyone to the Developing a Data Risk Classification Program My name is Ben Hartung, Information Security Officer for Fredonia and Symen Mulders, Information Security Analyst at Plattsburgh.

Background SUNY-wide taskforce comprised of eight campus members of the SUNY Information Security Working Group (ISWG) charged with developing a template for a Data Risk Classification Policy. Contributors: Jeff Murphy (Buffalo) Alan Tosi (RF) David Loewy (Downstate) Walter Kerner (FitNYC) David Fish (Brockport) Ursula Wilkinson (Oswego) Ben Hartung (Fredonia) Symen Mulders (Plattsburgh) (Ben) SUNY campuses are all struggling with the sames security and compliance issues Foundational for all security programs to know what kind of data is in scope and what controls are applicable

Goals Current, comprehensive and easy to understand Maps directly to the NYS & Federal regulations Applicable to Higher Ed (specifically SUNY) Correlates to Information Security Data Access Policy and other related policies Aligns with Enterprise Risk Management (e.g. Data Risk Classification Program) Simplicity of implementation (e.g. DLP) Leadership Buy-In (Ben)

Development Process Reviewed Federal and NYS compliance requirements Reviewed draft policies from other SUNY(s) Reviewed policies from leading Universities (e.g. Harvard, Stanford, & others) Michael Duff, Stanford CISO, provided consultation and guidance Provided DRAFT policy to ISWG, SUNY CCIO, and local campuses for feedback Reviewed by SUNY Counsel Reviewed by SUNY Enterprise Risk Management group Ben Process took about 4-6 months Fredonia also reviewed the draft policy and related templates with the Information Technology Advisory Board (ITAB) and campus-wide 30-day review process for employee feedback

What is Data Risk Classification? Data risk classification is broadly defined as the process of organizing data by relevant categories so that it may be used and protected more efficiently. The classification process not only makes data easier to locate and retrieve – data classification is of particular importance when it comes to risk management, compliance, and data security. Scope = University owned data in motion (transit) and at rest (stored). Source: https://digitalguardian.com/blog/what-data-classification-data-classification-definition Symen

This can be a bit complicated at first... Symen Every campus has a *lot* of different kinds of data, so classifying it can seem like a really big project...

Why do we care? Security ….protect against data breach Cost of Data Breach In 2016, 73% of breaches were financially motivated, per the 2017 Verizon Data Breach Report. Do we understand the financial value of our data so we can apply appropriate security controls? The way we do that is with a data classification. Reference: 2016 Cost of Data Breach Study: Global Analysis from Ponemon Institute (Symen) A breach could really hurt, financially. Classifying our data allows us to focus our security efforts where they will be most effective...

Why do we care?.....con’t Compliance Requirements: (Symen) SUNY Procedures 6608: Information Security Guidelines: Campus Programs & Preserving Confidentiality New York State Information Technology Standard No: NYS-S14-002 Information Classification National Institute of Standards and Technology (NIST) Special Publication 800-53: Security and Privacy Controls for Federal Information Systems and Organizations National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Non Federal Information Systems and Organizations Federal Information Processing Standard Publication 199: Standards for Security Categorization of Federal Information and Information Systems New York State Freedom of Information Law (FOIL) New York State Security and Breach Notification Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Federal Policy for the Protection of Human Subjects (‘Common Rule’) New York State Information Security Policy Gramm-Leach-Bliley Act Payment Card Industry Data Security Standards (Symen)

Why do we care?..... in 16 Words Restricted = Data that will make a breach expensive. Public = Data subject to FOIL. Private = Everything else. (Symen) ...So, we made it as simple as we could.

Adapting the Data Classification for Your Campus Symen You likely have data on your campus that doesn’t fit any of the categories we have already identified, but still needs to be classified. The important thing to remember is to follow the 16 words. Restricted = expensive breach, public = data available to the public or by FOIL, everything else is private.

Draft Data Risk Classification Policy & Program Templates Data Risk Classification General Overview Data Risk Classification & Approved Electronic Services Ben & Symen Program Development Policy Communication Plan Approved Electronic Services List (Inventory) & Process Awareness Training Related to other relevant policies… e.g. Data Security and Access Policy, Mobile Device Policy What’s Next??...Data Loss Prevention Tools

Questions ??????? Symen & Ben

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.