Instructional & Information Technology Services Fall, 2008 2010 Activities and Updates Teresa Macklin Information Security Officer Information Security.

Slides:

Advertisements

Similar presentations

EMPLOYEE ACCESS TERMINATION PROJECT

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Red Flag Rules: What they are? & What you need to do

The International Security Standard

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Internal Audit Awareness

Data Ownership Responsibilities & Procedures

Security Controls – What Works

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Developing a Records & Information Retention & Disposition Program:

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Philippe LE TERTRE IS Governance Consultant  Founder and managing partner of VADEGIS (company specialized in Information System Management.

ASPEC Internal Auditor Training Version

RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

© 2008 CH2M HILL, Inc Data contained on this sheet is proprietary; use or disclosure is prohibited. Page 1 The CSU System-wide Policy Project Communications.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

CPS Acceptable Use Policy Day 2 – Technology Session.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Payment Methods There are many ways to pay for goods and services.

ISO 9000 & TOTAL QUALITY ISO 9000 refers to a group of quality assurance standards established by the International Organization for Standardization.This.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.

Preparing for an Audit or Program Review April 17, 2011 © 2011 Global Financial Aid Services 1.

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Planning Retreat 2009 Personnel Office Re-cap of Goals for

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Engineering Essential Characteristics Security Engineering Process Overview.

Audit Planning Process

Campus Safety Update September Area’s of Focus – Fall 2008 Implementation of Multi-Modal Personal Mass Notification Recruitment of Emergency & Security.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

Legal Holds Department of State Division of Records Management Kevin Callaghan, Director.

Privacy Act United States Army (Managerial Training)

The University of Toledo Finance and Audit Committee Meeting “Internal Audit and Compliance Update” September 21, 2015.

1 Procurement Operations Division (POD) Guidance for Telework and Work Schedules February 2016.

Student Accounts Best Practices Presented by: Dee Bowling East Carolina University Fayetteville Fort Bragg.

Information Security tools for records managers Frank Rankin.

Fall  Comply with PCI compliance policies set forth by industry  Create internal policies and procedures to protect cardholder data  Inform and.

Payment Card Industry (PCI) Rules and Standards

Everything Electronic

Performing Risk Analysis and Testing: Outsource or In-house

What Do I Need To Comply? A written policy for your unit detailing how you process payments; Cash Handling Training, renewed every two years; A safe,

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Streamline your HR document management processes

Data Security Policies

Microsoft 365 Get help with regulatory compliance

Information Security Awareness

Third Party Risk Governance in a Diverse Environment

Introduction to the Federal Defense Acquisition Regulation

CMGT 431 STUDY Education for Service- -cmgt431study.com.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Office 365 Security Assessment Workshop

IT Development Initiative: Status and Next Steps

Security Awareness Training: System Owners

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

ISO/IEC 27001:2005 A brief introduction Kaushik Majumder

IIA District Conference Seminar Presenter David Cole, CPA, CISA, CRISC

IT & Security Training Skills.

Understanding Data Protection

Colorado “Protections For Consumer Data Privacy” Law

Presentation transcript:

Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security

Instructional & Information Technology Services Fall, 2008 Major Activities Information Security Audits –10 campuses this year –Both practices and vulnerabilities being tested CSU-Wide Info Security Policies & Standards –Still in draft –Affects campus business practices

Instructional & Information Technology Services Fall, 2008 Policy & Standards Development  Scope: All campus plus auxiliary organizations  Schedule: Draft of both due Fall, 2008 The CSU is implementing a set of CSU-wide policies and standards  Baseline policy and standard for a broad set of information security elements

Instructional & Information Technology Services Fall, 2008 Policy & Standards Scope  Strict identification, handling practices and tracking of “protected” data.  More process around accessing an employee’s files and when they leave campus employment  Employees will have to receive security awareness training before being granted a user account.  Structured reviews of user access lists for department shares and similar.  More use of encryption to store and transmit protected data

Instructional & Information Technology Services Fall, 2008 Security Awareness CSU-Wide program  Online training similar to sexual harassment training  Customized by campus  Provides baseline security awareness  Participation is a requirement  Scope: Entire campus community  Schedule: AY08/09

Instructional & Information Technology Services Fall, 2008 Information Security Audit  CSU Auditors scheduling 10 audits this calendar year, likely the remaining campus in 2009  Initial audit document request is for 90 document areas  Requires participation from IITS, HR, Materials Management, Procurement, Risk Management  Payment Card Industry standards  Requires frequent assessment  Affects any use of payment cards via campus network or using campus equipment

Instructional & Information Technology Services Fall, 2008 Changes To Campus Practices  Classification of the data your organization uses.  Periodic review of department access lists and practices by ISO  IT security assessments required for some organizations  Many former “practices” documented as procedure ……

Instructional & Information Technology Services Fall, 2008 Example details Data Classification (Standard 15) –Depts will be required to identify applications and systems which access or store protected data. –Some data may not be sent unless encrypted –Annual reviews of security permissions & practices. –Approval required to create “shadow” systems. Mobile Devices (Standards 12.2 & 12.3) –No protected data store on mobile devices unless encrypted/protected. (Laptops, data phones, memory sticks) Info Security Awareness (Standard 10) –Required and tracked for every employee Procurement/Contracts (Standards 6, 11 –Risk management process prior to procuring new systems –Third party contract changes Personnel (Standard 8) –Exit process must include securing data and access.

Instructional & Information Technology Services Fall, 2008 Your Action Items Respond to specific document requests by ISO Develop new internal processes to meet new requirements when policy/standards are published Engage in development process for campus implementation Establish responsibility for annual reports and internal security audits (with ISO)