2011-2012 IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Privacy, Security, Confidentiality, and Legal Issues
Security Controls – What Works
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel:
Information Security Technological Security Implementation and Privacy Protection.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Information Security Training for Management Complying with the HIPAA Security Law.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Public Employees Retirement System October 31, 2007 Eric Sokol, CSD Administrator Jeffrey Marecic, ISD Administrator Senate Bill 583 Implementation.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
The Implementation of HIPAA Joan M. Kiel, Ph.D., C.H.P.S. Duquesne University Pittsburgh, Pennsylvania.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Privacy & Security Policy Meets Technology at the Crossroads: Best Practice Methods & Approaches to Developing Organizational Frameworks to Avoid Collision.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Information Systems Security Operational Control for Information Security.
Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Note1 (Admi1) Overview of administering security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Pro-active Security Measures
Frontline Enterprise Security
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Welcome to the ICT Department Unit 3_5 Security Policies.
Information Security and Privacy in HRIS
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Payment Card Industry (PCI) Rules and Standards
WSU IT Risk Assessment Process
Privacy & Confidentiality
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
MEASURE I CITIZEN’S OVERSIGHT COMMITTEE MEETING
Audit Findings: SQL Database
Security Awareness Training: System Owners
Final HIPAA Security Rule
Information Security Awareness
PLANNING A SECURE BASELINE INSTALLATION
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Technology Solutions Cybersecurity Report to the KCTCS Board of Regents March 14, 2019.
Session 1 – Introduction to Information Security
Presentation transcript:

IT Audit Summary Bruce Patrou Chief Information and Technology Officer St. Johns County School District Rick Laneau Data Center Manager, Information Services School District of Hillsborough County

User Account Mgt User Account Mgt Develop system to provision user accounts Develop system to provision user accounts Document your methods Document your methods Ensure your system handles account revocation Ensure your system handles account revocation Link accounts to your Directory System (if able) Link accounts to your Directory System (if able) Project at St. Johns: Project at St. Johns: Working to employ Microsoft FIM (for employees) Auto Provision accounts when new/changed in HR System Auto account rights revocation/lockout Groups and rights tied to role Accounts cross multiple systems Accounts tied to MS Active Directory

User Access Rights User Access Rights Limit Users to Role based system rights Limit Users to Role based system rights Review Users rights Review Users rights Document Results Make changes from findings Perform as often as practical Document Account approval procedures Document Account approval procedures Avoid exceptions to your rules Avoid exceptions to your rules

Data Loss Prevention Data Loss Prevention School Districts handle lots of sensitive data School Districts handle lots of sensitive data Student Academic Records (many elements) Staff sensitive data (SSN, Medical, etc.) Loss or unauthorized disclosure can be damaging Loss or unauthorized disclosure can be damaging Identify what is sensitive and where it’s located Identify how it is accessed and via what systems Identify how to control its transmission Policies, Procedures Monitoring Encryption User Awareness and Training

Data Loss Prevention Data Loss Prevention Supported by multiple Documents: Supported by multiple Documents: Employee Acceptable Use Policy Procedures for Handling Student Directory Information IT Procedures Handbook Procedures for handling and transmitting sensitive data Location and security of sensitive/critical data Data Inventory Data Backup Training and awareness

Disaster Recovery and Testing Identify critical processes Identify critical processes Identify key staff to participate Identify key staff to participate Cold or Hot remote site Cold or Hot remote site Annual testing Annual testing Daily log file updates Daily log file updates Dedicated connection preferred Dedicated connection preferred

User Authentication Security Settings Password length (minimum 8) Password length (minimum 8) Password complexity enabled Password complexity enabled Password history Password history Password lockout after x number of attempts Password lockout after x number of attempts Password expiration (60 days) Password expiration (60 days) Document your settings Document your settings

Incident Response Procedures Procedures for reporting the unauthorized release of sensitive Student or Staff dataProcedures for reporting the unauthorized release of sensitive Student or Staff data Include who will do what and whenInclude who will do what and when

IT Procedures Manual Mission/GoalMission/Goal DefinitionsDefinitions Documentation StandardsDocumentation Standards Org Chart (IT Dept) (include roles)Org Chart (IT Dept) (include roles) Major Software AcquisitionMajor Software Acquisition Project approval, selection and monitoringProject approval, selection and monitoring Operational ProceduresOperational Procedures Security Awareness ProgramSecurity Awareness Program Security and AccessSecurity and Access System BackupsSystem Backups

Security Risk Assessment Security Risk Assessment Survey and Mitigation Plan (see template)Security Risk Assessment Survey and Mitigation Plan (see template) External/Internal penetration assessmentExternal/Internal penetration assessment Helpful links to NIST and Florida AEITHelpful links to NIST and Florida AEIT /Security/2011FloridaITRiskAssessmentFinal.pdf /Security/2011FloridaITRiskAssessmentFinal.pdf /Security/2011FloridaITRiskAssessmentFinal.pdf /Security/2011FloridaITRiskAssessmentFinal.pdf NIST SP Revision 1 (Sept 2011 Draft) NIST SP Revision 1 (Sept 2011 Draft)

Security Awareness ProgramSecurity Awareness Program Publish SA notes for employeesPublish SA notes for employees Publish notice of changesPublish notice of changes Provide training to staff on changesProvide training to staff on changes Security Training (log via PD system)Security Training (log via PD system) ExampleExample

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.