Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Security, Privacy, Copyright, and Other Institutional Policy Implications of Online Learning Rodney J. Petersen, J.D. Policy Analyst & Security Task Force.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
WebCast 5 May 2003 NERC Cyber Security Standard Overview of Proposed Cyber Security Standard.
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Information Security Policies and Standards
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
Peer Information Security Policies: A Sampling Summer 2015.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Rodney Petersen Security Task Force Coordinator EDUCAUSE
Handling Sensitive Data: Security, Privacy, and Other Considerations Rodney Petersen Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
September 14, David A. Reed Attorney at Law Reed & Jolly, PLLC (703)
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
New Identity Theft Rules Rodney J. Petersen, J.D. Government Relations Officer Security Task Force Coordinator EDUCAUSE.
Policy and IT Security Awareness Amy Ginther Policy Develoment Coordinator University of Maryland Information Technology Security Workshop April 2, 2004.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Eliza de Guzman HTM 520 Health Information Exchange.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
WebCast 5 May 2003 Proposed NERC Cyber Security Standard Presentation to IT Standing Committee Stuart Brindley, IMO May 26, 2003.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
New A.M. Best Cyber Questionnaire
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Business Continuity Planning 101
Cyber Insurance Risk Transfer Alternatives Heather Soronen - Operations Director Rocky Mountain Insurance Information Association.
Information Security Program
Information Security Awareness
I have many checklists: how do I get started with cyber security?
Red Flags Rule An Introduction County College of Morris
#IASACFO.
Cybersecurity compliance for attorneys
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Presentation transcript:

Security, Privacy, and the Protection of Personally Identifiable Information Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security Task Force Coordinator © 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force

Information Protection Strategies Security versus Privacy - Positions Security or Privacy – Win/Lose Security nor Privacy – Lose/Lose Security and Privacy – Win/Win Balancing Interests - Compromise Tradeoffs – Win/Lose Legal and Ethical Approaches – Win/Win

Goals of IT Security Confidentiality: computers, systems, and networks that contain information require protection from unauthorized use or disclosure. Integrity: computers, systems, and networks that contain information must be protected from unauthorized, unanticipated, or unintentional modification. Availability: Computers, systems and networks must be available on a timely basis to meet mission requirements or to avoid substantial losses.

Policy of the United States In the past few years, threats in cyberspace have risen dramatically. The policy of the United States is to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States. We must act to reduce our vulnerabilities to these threats before they can be exploited to damage the cyber systems supporting our Nation’s critical infrastructures and ensure that such disruptions of cyberspace are infrequent, of minimal duration, manageable, and cause the least damage possible. Letter from President George W. Bush to The American People, The National Strategy to Secure Cyberspace (February 2003)

Congressional Actions–Fall 2003 “Worms and Viruses” – multiple hearings “Database Security: Finding Out When Your Information Has Been Compromised” U.S. Senate Committee on the Judiciary, Subcommittee on Technology, Terrorism and Government Information (November 4, 2003) “Cybersecurity & Consumer Data: What’s at Risk for the Consumer?” U.S. House Committee on Energy and Commerce, Subcommittee on Commerce, Trade, and Consumer Protection (November 19, 2003)

Public Policy Issues Identity Theft Notification of Security Breaches Protection of Personally Identifiable Information Social Security numbers Credit Card Information Privacy Policies & Collection Practices Safeguarding Information

GLB Act Security Safeguards Designate employee(s) to coordinate Conduct a risk assessment Identify reasonably foreseeable risks Assess the sufficiency of any safeguards in place to control these risks Design and implement safeguards to control the risks you identified through risk assessment Regularly test and monitor the effectiveness of the safeguards Oversee service providers

HIPAA Security Regulations Administrative Safeguards Security Management Process Risk Analysis Risk Management Appointment of a security official Workforce Security Information Access Management Security Awareness and Training Incident Response Procedures Contingency Plan

U.S. Privacy Act of 1974 Federal agencies are required to “establish appropriate administrative, technical and physical safeguards to insure” security and confidentiality and “protect against anticipated threats . . . which could result in substantial harm, embarrassment, inconvenience or unfairness to any individual.”

Fair Information Practices Access and correction Transparency Data security Specifying and limiting purposes for which data can be used Data minimization Enforcement (Fair Credit Reporting Act, Privacy Act, and several other information privacy laws)

FTC’s Principles for Government Privacy Policies and E-Commerce Notice Choice/Consent Access Security Enforcement

Emerging Issues Notification to “Consumers” Disclosure of organization’s maintenance of personally identifiable information Description of what procedures the organization has in place to protect data Notification when a breach or leakage has the potential for harm Providing a Right of Access: individuals need to know what information is being kept about them. Adoption of The Privacy Act’s Security Standard: application of fed. agency rules to the private sector Creation of a Private Right of Action

Public Policy Framework Coverage: any record containing nonpublic personal information whether in paper, electronic or other form Information Security Program: the administrative, technical, and physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle information Risk Assessment and Mitigation of Risks Notification of Owners of PII Or Be Held Accountable!

“Negligent Security” Duty Breach Damage Causation Statutory obligations Created by contract or promise Assumed in policy or mission statement Standard of care in the industry!!! Breach Damage Causation

Risk Management Risk = Threats x Vulnerabilities x Impact Only 30% of the institutions surveyed have undertaken a risk assessment to determine their IT assets’ value and the risk to those assets – ECAR Study (2003) Risk Assessment (identify assets, classify assets, inventory policies and practices, vulnerabilities, etc.) and Responses to Risk (assumption, control, mitigation, or avoidance)

Types of Risk (Impact) Legal Risks Financial Risks Reputational Risks Operational Risks Strategic Risks

Cybersecurity Plans Only 13% of the institutions surveyed have comprehensive IT security plans in place. 10% said no plan was in place. 42% had a partial plan in place. 36% are currently developing a plan – ECAR Study (2003) Convergence with Emergency Preparedness Planning Activities Relationship to Business Continuity and Contingency Plans Cyber Security as part of Strategic Plans

Security Policies “A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” [U.S. General Accounting Office] 54% of the institutions surveyed have formal institutional IT security policies – ECAR Study (2003) 37% had policies in the implementation stage – ECAR Study (2003)

What Formal Policies Cover 99% - acceptable use 89% - system access control 85% - authority to shut off Internet access 83% - data security 82% - network security 82% - enforcement of institutional policies 80% - desktop security 71% - physcial security of assets 61% - residence halls 51% - remote devices 39% - application development ECAR Study (2003)

Security Policies & Procedures Rationale/Purpose Scope Policy Statement Roles & Responsibilities Procedures Related Policies

Rationale or Purpose Examples include: Confidentiality, Integrity, & Availability Attainment of Institutional Mission Compliance with Laws or Regulations GLB Act HIPPA State Laws or Regulations Principles

Guiding Principles Civility and Community Academic and Intellectual Freedom Privacy and Confidentiality Equity, Diversity, and Access Fairness and Process Ethics, Integrity, and Responsibility

Scope Examples include: Data and information? Computers and networks? “Information Resources – information in any form and recorded on any media, and all computer and communications equipment and software.” [Georgetown University Information Security Policy]

Policy Statement Examples include: Critical asset identification Risk management Physical security System and network management Authentication & authorization Access control Vulnerability management Awareness & training

Roles and Responsibilities Examples include: Governing Board Executive Management Chief Information Officer Chief Security Officer Unit Directors and Data Stewards End-Users

Procedures Examples include: Confidentiality and Nondisclosure Breach notification Logging and monitoring Identification of departmental contacts Blocking network access Incident response

Related Policies Examples include: Acceptable Use Elimination of Social Security numbers as primary identifiers Privacy Policy or Collection and Disclosure of Personal Information Data Management and Access Policy Identity Management

EDUCAUSE/Internet2 Computer and Network Security Task Force For more information: EDUCAUSE/Internet2 Computer and Network Security Task Force http://www.educause.edu/security Email: rpetersen@educause.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.