Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Privacy and Information Security Training ( ) VUMC Privacy Website
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
NAU HIPAA Awareness Training
Springfield Technical Community College Security Awareness Training.
SL21 Information Security Board Mission, Goals and Guiding Principles.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Complying with Privacy to Enable Innovation & Research
Data Ownership Responsibilities & Procedures
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Security Controls – What Works
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Peer Information Security Policies: A Sampling Summer 2015.
Access & Privacy Chairs’ Compliance Workshop January 10, 2013.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.
Privacy and Security Risks in Higher Education
Practical Information Management
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
General Awareness Training
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Privacy and Information Management ICT Guidelines.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
SPH Information Security Update September 10, 2010.
Why Respect Privacy and Confidentiality? Access to Confidential Information (OP ) Protection and Security of Protected Health Information (OP.
Working with HIT Systems
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
1 PARCC Data Privacy & Security Policy December 2013.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Privacy Practices.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Privacy Compliance in Schools Darrebin A/P’s Network 7 May 2009.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.
Strategies in the Game of
Data Security Policies
Information Security Board
Privacy & Access to Information
Move this to online module slides 11-56
Disability Services Agencies Briefing On HIPAA
CompTIA Security+ Study Guide (SY0-401)
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
D3 Confidentiality.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Tools & Approaches for Ongoing Privacy Compliance
HIPAA Overview.
General Data Protection Regulation Q & A Session
Move this to online module slides 11-56
Presentation transcript:

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat

Topics Part I: Policy Overview (Jason) Part II: What to do when there’s a breach (Karen) WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Policy Goals Reduce our exposure Comply with laws and regulations Focus our information security efforts WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm Information Security is about maintaining our integrity, not our egos!

STOP HOARDING INFORMATION! On the topic of exposure… WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

You can’t compromise what’s not there REDUCE what we collect REDUCE what we duplicate REDUCE what we keep WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Reduce your risk off campus Remote access or data encryption. Use a secure connection. Beware of un-trusted computers! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Don’t forget about Disposal! Make sure that all confidential information is erased or not recoverable before computers, electronic storage media, or other electronic devices are disposed of. See Electronic Media Disposal Guidelines WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Information Security Policies, Standards, and Procedures Defense Production Act Privacy Laws Payment Card Industry DSS Policy Development: Avoid disjointed policy statements WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Policy Documents Statement on Security of UW Computing and Network Resources Policy 8 – Information Security Statement on Electronic Business Breach Notification Procedure Computer Security Incident Response Procedure IT Security Standards (all under development) Mobile Device Security Standards Standards for Secure Hosting Password Policy WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Security Classifications (from Policy 8) Confidential Restricted Highly Restricted WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm Public

Roles & Responsibilities (from Policy 8) Information Steward: Governs the use of information Information Custodian: Keeper of the information User: Makes use of the data WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Example: Vision Test Optometry Who is the steward? Director, School of Optometry Who is the custodian? Support staff in Optometry who handle paper records. Systems Administrators of systems where results are stored. Who is the user? Faculty, and students in Optometry. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Steward Responsibilities Classify information. Assess risk. Delegating operational responsibility to one or more Information Custodians. Establishing and maintaining rules and procedures. Ensuring Compliance. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Custodian Responsibilities Knowing the rules, set by the steward. Understanding how information flows. Making sure information is available to authorized people and processes when needed. Making sure the integrity of information is maintained. Making sure information is not available to unauthorised people or processes. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Tips for Classifying Data Classify information that is obviously public. Identify information that is Highly Restricted. Do you really need it? You need permission to use it. …then Restricted We can help you, if needed. Whatever’s left is either obviously confidential or it’s not obvious. The information steward makes the call on public vs. confidential. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

What to do when there’s a breach Information Security Breaches make headlines “Servers containing sensitive health information stolen” “Box of applications to university mistakenly thrown away” “Briefcase containing sensitive student information lost” WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Despite your best efforts, there’s been a breach Server Memory stick with grades Information sent to wrong recipient Student assignments WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

What do I do? WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm Incident Security Breach Response Procedure ( ) Computer Security Incident Response Procedure ( Information Security Breach Circumvention of security controls Unauthorised use of information Unintended exposure of information Purposes Legislation Identifying the cause(s) and prevention

Incident Security Breach Response Procedure What happened? Act with care, but act with speed Contain / identify scope Nature of breach What was disclosed To whom And, for how long Advise others Contact the privacy coordinator to advise re: WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Notice – what it might entail Restricted Information Personal information Personal health information Information subject to non-disclosure Passwords or private encryption keys Notice Extent and specifics Steps individuals should take to protect themselves Immediate and long term solutions Privacy Commissioner of Ontario / FIPPA WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

What’s the purpose of all this? Individuals may need to protect themselves Legislation It’s the right thing to do WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Results Best Practices Local users.Others at UW. Lessons Learned? Changes to procedures?Useful information to share? Investigation Have notice requirements been met?Review circumstances of the breach. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Final thoughts Shared responsibility Treat others’ personal information as you would wish others to treat yours WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm