Information Security Office Protecting Privacy in the New Millennium © Copyright Melissa Guenther, LLC. All rights reserved. Kelley Bogart – Information Security Coordinator Co-Chair EDUCAUSE Security Awareness Task Force
Information Security Office Understand: the driving forces behind privacy regulation key privacy terms and concepts obligations under the privacy regulations Perform your job functions in a manner consistent with the privacy requirements GBLA Terms and Definitions Objectives
Information Security Office Privacy training is about teaching employees the things they need to know about privacy Privacy Awareness is about keeping employees mindful of the things they have learned about privacy and the responsibilities they have with respect to privacy Practical Applications
Information Security Office Family Education Rights & Privacy Act FERPA
Information Security Office FERPA keystone federal privacy law for educational institutions imposes confidentiality requirements around student educational records prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission. provides students with the right to request and review their educational records and to make corrections to those records. law applies with equal force to electronic and hardcopy records.
Information Security Office Gramm-Leach Bliley Act GLBA
Information Security Office This act applies to the U of A, however since we are required to comply with the Family Education Rights & Privacy Act (FERPA), the U of A is not subject to the GLBA privacy rules. We are subject to the Security area of GLBA. The U of A Security Plan
Information Security Office Gramm-Leach-Bliley Act (GLBA) applicable to financial institutions, colleges & universities and was enacted in requires that the U of A protect customer financial information including the personal identifying information such as names, addresses, account, credit information and Social Security numbers. Federal Trade Commission (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed in compliance with the privacy provisions of the GLBA if they are also in compliance with the Family Education Rights & Privacy Act (FERPA). GLBA compliance was required by May 23, 2003 and requires the U of A to: develop a comprehensive security program, assess the need for employee training, and include obligations in their agreements with third parties that have access to financial records covered by the GLBA.
Information Security Office Protection - initial scope of Act is to Safeguard Customer information Detection - requires Security Awareness Training to support the information security program in general, not just customer information Reaction - special emphasis in the Security Awareness training should include component to train employees about what they need to do to protect customer information
Information Security Office Health Insurance Portability and Accountability Act of 1996 (HIPAA) enacted to protect the rights of patients and participants in certain health plans. requires that health records be protected and to help protect against unauthorized disclosure of this information. includes patient data at Universities and used in Research studies.
Information Security Office American public has shown strong concerns about the privacy of its personal information - buying habits, medical records and financial information. One purpose of the many privacy regulations is to help protect people against the unwanted sharing of personal information. Why Privacy?
Information Security Office The intent of the safeguards is threefold: Insure the security and confidentiality of customer records; Protect against any anticipated threats or hazards to the security or integrity of the records; and, Protect against unauthorized access to or use of customer that could result in substantial harm or inconvenience to any customer.
Information Security Office Written Security Program Board of Director Approval Risk Assessment Manage and Control Risk Appropriate Measures Oversee Service Providers Monitoring of Program Administrative, Technical, And Physical Safeguards for Customer Records and Information Standards
Information Security Office Restrict access to client information to those that need to know. Ensure client information is not visible or accessible to others. Do not discuss client information in places where others may overhear Do not share existing passwords with anyone or give old passwords to new employees when contractor leaves. Discard old or used client information appropriately Confidentiality and Security of Clients
Information Security Office Refers to data collectors' responsibility to take reasonable steps to ensure that information collected from consumers is accurate and secure from unauthorized use Safeguards: required to develop policies to prevent fraudulent access to confidential financial information. Policies must be disclosed to all customers. Security
Information Security Office Adverse consequences include: Cease and desist orders. Civil money penalties may also be imposed. Negative press and loss of public confidence Corporate and personal penalties Penalties for Non Compliance
Information Security Office Company web site? marketing? Data collection and storage? Employee awareness and actions? Vulnerabilities Whenever personally identifiable information is gathered, stored or processed, it is possible that the privacy of some individuals may be threatened.personally identifiable information
Information Security Office What Can You Do to Ensure Privacy Compliance? Top Eight List for an Aware Enterprise
Information Security Office Keep it in a secure environment Keep food, drink, and cigarettes AWAY from it. Know where the fire suppression equipment is located and know how to use it 8. PROTECT YOUR EQUIPMENT
Information Security Office Keep unauthorized people AWAY from your equipment and data Politely challenge strangers in your area 7. PROTECT YOUR AREA
Information Security Office Never write it down or give it to anyone Don't use names, numbers or dates which are personally identified with you Change it often, but change it immediately if you think it has been compromised 6. PROTECT YOUR PASSWORD
Information Security Office Don't allow unauthorized access to your files and data NEVER leave your equipment unattended with your password activated - SIGN OFF! Password Protected screen saver 5. PROTECT YOUR FILES
Information Security Office Keep your anti-virus software up to date Do not open unexpected attachments Don't use unauthorized software Back up your files before implementing ANY new software 4. PROTECT AGAINST VIRUSES
Information Security Office If the data or information is sensitive or critical to your operation, lock it up! Human leak – do not discuss confidential information of any customer inappropriately 3. LOCK UP STORAGE MEDIA CONTAINING SENSITIVE DATA
Information Security Office Keep duplicates of your sensitive data in a safe place, out of your immediate area Back it up as often as necessary 2. BACK UP YOUR DATA
Information Security Office AND…#1 on the list of things to support security
Information Security Office Tell your manager or contact Security if you see any unauthorized changes to your data Immediately report any loss of data or programs, whether automated or hard copy Report all suspicious Immediately report any contact (face –to-face, phone, ) from someone you don’t know asking for confidential information REPORT SECURITY VIOLATIONS
Information Security Office Safeguard customer data at your Work station - Password Protected Screen Saver - Password construction & management - Shredding - Incident Reporting - Guidelines - Data Classification Matrix - ID Badges - Visitor Control -Clean Desk
Information Security Office Verify customer identity before information is released - Social Engineering - Incident Reporting - Visitor Control - Identity Theft
Information Security Office Respect access restrictions to customer information files - Password Construction and management - encryption
Information Security Office Keep customer information confidential, refrain from sharing customer information in conversations with other employees and outside parties -Phone conversations -Social Engineers -Fax machines -Shredders -Informal, social gatherings -
Information Security Office Know and follow the University’s Online Electronic Privacy Policy Finally
Information Security Office A statement of: how and why a company collects information what it does with it what choices you have about how it is used whether you can access the information what is done to assure that the information is secure Electronic Privacy Statement
Information Security Office SEC- -Y If not you, who? If not now, when?
Information Security Office Resources at the University of Arizona Kerio Firewall Sophos Anti Virus VPN client software Policies, Procedures and Guidelines Security Awareness
Information Security Office University Information Security Office Bob Lancaster 4 University Information Security Officer 4 Co-Director – CCIT, Telecommunications Security Incident Response Team (SIRT) Kelley Bogart 4 Information Security Coordinator