Security Awareness Training: Data Owners

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

Federal Law and Student Privacy and Federal Law and Health Care Privacy New Business Manager Training NMASBO.
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Springfield Technical Community College Security Awareness Training.
Service Point 5 ReportWriter How to create and run reports in ReportWriter.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Data Ownership Responsibilities & Procedures
Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
VITA [Virginia Information Technologies Agency]
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
IT Security Challenges In Higher Education Steve Schuster Cornell University.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Security Awareness Norfolk State University Policies.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Electronic Records Management: What Management Needs to Know May 2009.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
R ed F lag R ule Training for the Veterinary Industry © Chery F. Kendrick & Kendrick Technical Services.
Building a Privacy Foundation. Setting the Standard for Privacy Health Insurance Portability and Accountability Act (HIPAA) Patient Bill of Rights Federal.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Chapter 11 Privacy and Secrets. Chapter Outline Privacy and Regulation What to do about passwords Random Number generation Cryptography Secrets in Memory.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Working with HIT Systems
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
HIPAA Security Final Rule Overview
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
Chapter 4: Laws, Regulations, and Compliance
Confidentiality Annual Training. Board Policy JG Please follow the link below to access the board policy dealing with student discipline and confidentiality.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Data Access & New Banner Admin UI Professional Development Session May 11, am Presented by: Management Information Center.
An Information Security Management System
Health Insurance Portability and Accountability Act of 1996
Service Point 5 ReportWriter
Regulatory Compliance
Data Security Policies
Service Point 5 ReportWriter
Outsource Contracting Law, Policy, & Process
Developing a Data Risk Classification Program
Confidentiality October 14, 2005.
Chapter 7 - The Executive Branch at Work Executive Departments
Security Awareness Training: System Owners
County HIPAA Review All Rights Reserved 2002.
CompTIA Security+ Study Guide (SY0-401)
IS4680 Security Auditing for Compliance
Health Care: Privacy in a Digital Age
CIT 485: Advanced Cybersecurity
Lesson 1: Introduction to HIPAA
Introduction to the PACS Security
Evaluation and assessment
Why Cyber Security is important to SME? Useful Tips on how you protect and secure your business. By Ronald Soh from Win-Pro Consultancy Pte Ltd
Payment Card Industry Data Security Standards (PCI-DSS) Training
School of Medicine Orientation Information Security Training
Presentation transcript:

Security Awareness Training: Data Owners

Definition VITA 501-01, p. 8 2.2.8 Data Owner The Data Owner is the agency manager responsible for the policy and practice decisions regarding data, and is responsible for the following: 1. Evaluate and classify sensitivity of the data. 2. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. 3. Communicate data protection requirements to the System Owner. 4. Define requirements for access to the data.

Take Full Ownership Primary focus is to assume responsibility: As the data owner, it is your responsibility for it and to dictate how it is handled.

Comunication Communicate with the System Owner Regulations Policy Access Control Reviewing Risk Assessment, Business Continuity Disposal Communicate with end-users

Regulations & Policies What regulations, whether federal, state, local or organizational apply to your data: Federal: FERPA-Family Educational Rights and Privacy Act http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html PCI DSS-Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml HIPAA-Health Insurance Portability and Accountability Act http://www.hhs.gov/ocr/privacy/ State/Regional: DHRM-Department of Human Resource Management http://www.dhrm.virginia.gov/ SACS-Southern Association of Colleges and Schools http://www.sacs.org/ SCHEV-State Council of Higher Education for Virginia http://www.schev.edu/ VITA ITRM Standard SEC501-01 http://www.vita.virginia.gov/uploadedFiles/Library/PSGs/IT_Security_Standard_501_01_101909_v2.pdf COV ITRM Standard SEC514-03 Removal of Commonwealth Data from Electronic Media Standard http://www.vita.virginia.gov/uploadedFiles/Library/PSGs/Data_Removal_Standard_514_03%2010_07_2008_r3.pdf NSU: Acceptable Use of Technological Resources http://www.nsu.edu/policies/pdf/60_201.pdf

Access Controls Define who has access and how: Inform System Owner and admins as to what they need in order to protect VITA SEC501-01 Section 5 (p.26) Least privelege AAA Removing AAA Changes in AAA Shared accounts Local Admin rights Etc. NSU Password Policy 62.002 http://www.nsu.edu/policies/pdf/62-002ComputeSystemsPasswordsVer16.pdf Who can get to the data, when, how, permissions applied to that data Remote Access allowed? How to protect data at rest (not used or moving) Archives Not accessed often Does the Data need to be Encrypted How to protect data in motion (USB, Printing, memory) System interoperability/sharing

Review Data protection is no good without regular review: VITA SEC501-01 Section 5 (p.26) “Do you know who has access and what kind of access?” (R, RW) “Who is checking those that can write?” “Protecting it?” How often Audit point Be prepared to be asked again The Access controls listed previously

Risk/Business Continuity Develop with the system Owner Classify data Sensitive system is one with any data where risk is assessed as High in any of the Confidentiality, Integrity, and Availability of data.

Social Engineering Social Engineering Weakest link Phishing Never give out your password Lock your computer Dumpster Diving/Shredding

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.