Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.

Slides:



Advertisements
Similar presentations
Protect Our Students Protect Ourselves
Advertisements

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Maintaining Security While Using Computers What all of Our Computer Users Need to Know.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:
Security Awareness: Applying Practical Security in Your World
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Session 3 – Information Security Policies
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
THE WHY AND HOW OF DATA SECURITY YOUR ROLE IN DATA STEWARDSHIP DEPARTMENT OF MEDICINE IT SERVICES.
Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
CSP Annual Security Training Miranda Gregory, CSP Analyst Carroll County Department of Citizen Services.
SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.
New Data Regulation Law 201 CMR TJX Video.
Data Access and Data Sharing KDE Employee Training Data Security Video Series 2 of 3 October 2014.
Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.
ESCCO Data Security Training David Dixon September 2014.
IT Security Essentials Lesley A. Bidwell, IT Security Administrator.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Privacy and Information Management ICT Guidelines.
{ Active Directory Security Why bother?.   Law #1: Nobody believes anything bad can happen to them, until it does   Law #2: Security only works if.
University Health Care Computer Systems Fellows, Residents, & Interns.
Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
SPH Information Security Update September 10, 2010.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Incident Security & Confidentiality Integrity Availability.
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
Personal data protection in research projects
Blogs How to use the bog safely and secure? Create new username. Create a strong password to your account. Create the password to your uploaded files.
TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Computer Security Sample security policy Dr Alexei Vernitski.
Common sense solutions to data privacy observed by each employee is the crucial first step toward data security Data Privacy/Data Security Contact IRT.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Overview to Student Data Privacy in Illinois
HIPAA Privacy and Security
DATA SECURITY FOR MEDICAL RESEARCH
Information Technology (IT) Audits
Things To Avoid: 1-Never your password to anyone.
Best Practices for Protecting Data
Overview to Student Data Privacy in Illinois
Move this to online module slides 11-56
County HIPAA Review All Rights Reserved 2002.
Dos and Don’ts.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Introduction to the PACS Security
Presentation transcript:

Best Practices for Protecting Data

Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper Copies Data Destruction Data Inventory Privacy Officer De-identified data Passwords Workstation and File Security

Data Inventory Address key questions about your data with a data inventory: What systems do we have? What data do they store? What reports and exports are available? Who are the users?

Data Inventory Example SystemTypes of DataReporting FeaturesUsers Student Information SystemDemographics, Schedules, Grades, Attendance, etc. Ad-hoc, Pre-defined, User- defined, Exports Administrators, Teachers, Secretaries

Determine who is responsible for the following data and privacy issues: Leading a district security team Educating staff on regulations, best practices and policy Management and delivery of data Maintaining information on agreements and contracts Maintaining logs of users with access to PII Documenting data collection processes Acting as a contact for the public on privacy questions and concerns Privacy Officer

De-identify Data De-identify detail data used in analysis, projects and presentations: De-identified data - Data regarding students that uses random identifiers. NameGradeSPEDMath 3 LevelELA 3 Level Student 14NoLevel 3Level 4 Student 24NoLevel 3 Student 34NoLevel 2Level 1 Student 44YesLevel 3Level 2 Student 54NoLevel 4 Student 64NoLevel 3

De-identify Data Aggregated Data - Anonymized data that can not be used to identify a particular student. Reported at the school or district level. Use aggregated data where possible:

Indirect Identification SubgroupPercent Proficient American Indian83.4% Asian87.7% Black91.7% Hispanic81.0% Two or More Races0.00 % White79.2% Be mindful of indirect identification issues:

Do any of these passwords look familiar?

Strengthen passwords Make every new password a unique password Change passwords regularly Never write down or share passwords Disable the “Remember Password” function in browsers Change passwords immediately if compromised Use a secure password management method Passwords Employ password protection strategies:

Strong Passwords… Are 8 or more characters long and contain a mix of upper and lowercase letters, numbers, and symbols… …and are easy to remember: Password Strength

Strong Passwords… Are 8 or more characters long and contain a mix of upper and lowercase letters, numbers, and symbols… Ham&3gg$ is stronger that hamandeggs …and are easy to remember Hwd2tmnc2L! can be remembered from the passphrase He who dares to teach must never cease to learn! Password Strength

Weak Passwords… Are the same as your login or contain family names Contain common words Contain easily accessible information about you Contain only numbers or letters Passwords

Weak Passwords… Are the same as your login or contain family names Jsmith or raymond Contain common words Football Contain easily accessible information about you Mathteacher Contain only numbers or letters or abcdef Passwords

Senders No longer control information once it is sent Could choose the wrong address Receivers May forward it to others, or print a copy Sometimes leave workstations unsecured or have weak passwords Consider security and privacy issues related to everyday use of

Do not include personal or sensitive information:

Workstation and File Security Lock your workstation when not in use Download and store documents with sensitive information on secure network drives - not workstations! Use only encrypted USB flash drives (if used at all) Secure workstations and files:

Workstation and File Security Use secure methods such as SFTP or remote desktop applications to transfer sensitive data– not ! Follow district specific policies and procedures on file storage, data transfer and cloud applications. Store physical media in a secure area Secure workstations and files:

Implement MCD policies, and inventory data and equipment: Mobile Computing Devices - MCDs Develop policy that addresses the protection of data on MCDs Develop breach notification policy and procedures (including actions for employees to take in the event of a breach) Inventory personal and sensitive data stored on MCD’s and update on an ongoing basis

Technical Procedures Perimeter Defenses LAN and WAN Management Vulnerability Assessment Data Encryption Patch and Virus Management Software and Operating System Updates Crisis Management Assess technical procedures: See District Security Self Assessment - COSN

Data Access and Permissions Review staff duties and roles annually Adjust permissions when job duties change Deactivate former employees accounts immediately Do not create generic accounts in systems Have processes and policies in place Review audit logs and reports Implement policy and procedure regarding user management and access that should be on a “Need to Know” basis:

Verbal Communication Note that conversations can be overheard Don’t share sensitive information with unauthorized people Don’t share sensitive information while socializing Remember that verbal communication issues are an important consideration:

Paper Copies Keep paper copies as secure as electronic data: Consider whether you really need a paper copy Remember that copier/printer/scanners store images of all documents on hard drives Be mindful of where you are printing Don’t leave paper copies sitting on printers Store paper copies in a secure area

Data Destruction Minimize the amount of data retained Remove data in a way that renders it unreadable (paper) or irretrievable (digital) Require third parties receiving PII under the FERPA School Official Exception to destroy it when the relationship is terminated or when no longer needed (whichever comes first) Require third parties receiving PII under other FERPA Exceptions to destroy it when no longer needed Destroy documents and files when no longer needed: See Best Practices for Data Destruction - PTAC

Best Practices for Protecting Data Key Ideas Self-Assessment