Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.

Published byJessie Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT."— Presentation transcript:

1 www.msbanet.org

2 SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT

3 www.msbanet.org POLICY On the way In the process of writing and working with MORENet to ensure best practices and meeting State Auditor requirements

4 www.msbanet.org WHAT’S UP? Auditor has completed audits of 5 districts – Boonville, Cape Girardeau, Orchard Farm, Park Hill, Waynesville – Keep in mind these are “large(er)” districts Some common themes occur in all the audits – Passwords – Backups – Access Control – Data Access/Disclosure – Account Management

5 www.msbanet.org RESPONSIBLITY EVERYONE in the district must be on board with the plan Won’t work if “some” teachers refuse to change passwords, etc. Even board members need to be on board – everyone is potentially vulnerable to cybersecurity issues

6 www.msbanet.org PASSWORDS District should establish “adequate” password controls to reduce the risk of unauthorized access to computers and data Require all users to identify themselves Maintain a secure password before accessing district information Have a set expiration date – User would have a “not expiring password” which creates a greater risk of password becoming known Prohibit sharing passwords or using another person’s

7 www.msbanet.org USER ACCESS Must perform periodic reviews of user’s access to data – This means not everyone should have access to everything – Must be appropriate and aligned with job duties – As duties change, access may change or even be removed Also monitor accounts assigned to former employees/volunteers – “Inactive Accounts” - not used for an extended period of time Should be no accounts shared by multiple users

8 www.msbanet.org USER ACCESS Should be based on “need to know” – NOT on position District should decide who will determine access – this should be a very limited number of people – This is NOT necessarily the IT person – IT may implement, but most likely won’t decide who gets access Should also have very detailed, up-to-date information on who has access to what Something to think about – – Emergency access??

9 www.msbanet.org USER ACCESS Logon Banners – Must display logon banners to users accessing district systems and data – Should display information to users regarding applicable privacy and security notices and required compliance with applicable laws, regs, and policies

10 www.msbanet.org LOGON BANNER Should state – A user is accessing a district provided information system – That usage of the system may be monitored, recorded, and subject to audit – That unauthorized use of the system is prohibited and may be subject to criminal and civil penalties – That use of the system constitutes agreement with these terms

11 www.msbanet.org TERMINATING ACCESS Need policy/procedure for disabling or removing user accounts in a timely manner – Many instances of former users having access to district system more than 30 days after leaving the district! Procedures must be consistently applied – even to those not “technically” district employees Need a process for reporting all staff actions to the IT department for accurate monitoring IT director most likely person to document Same for students

12 www.msbanet.org SHARED ACCOUNTS/ CONCURRENT ACCESS Should prohibit staff from “sharing” accounts and passwords No “generic” names or passwords – Must be able to identify user with a specific account – a “uniquely identifiable user account” Not allow “concurrent access” to district systems – Sign on to two separate machines in two separate places – Only one location at a time

13 www.msbanet.org DATA GOVERNANCE Ensure the confidentiality, integrity, availability and quality of all data Establish decision making authority Define policies for sensitive data Ensure data is collected, maintained, used, and disseminated in an appropriate manner

14 www.msbanet.org DATA GOVERNANCE Formally assign responsibility for management of the district’s data Formalize a “data stewardship plan” – Policies/procedures on protecting student data Maintain an inventory of data files, the data in the files, and the sensitivity of the data – Should classify by level of sensitivity Implement a process to detect unauthorized disclosure of Personally Identifiable Information (PII) Adopt a formal policy regarding archiving or destroying data at end of the lifecycle – The process of removing information in a way that renders it unreadable or irretrievable

15 www.msbanet.org DATA GOVERNANCE Everyone must be on board – Example – Teachers who copy student info onto a zip drive – This must be monitored and recorded Must know where data is stored so that it may be protected

16 www.msbanet.org SECURITY Formally appoint specific personnel to serve as security administrator(s) – Assign responsibility for creating, implementing, maintaining security policies/procedures – Develop a comprehensive “plan” and identify specific staff responsibilities

17 www.msbanet.org SECURITY Use hard/software to protect, detect unauthorized access to systems – Accounts, passwords, firewalls – Procedures for allowing temporary or guest access (contractors/vendors) to tech resources escort/sign-in procedures

18 www.msbanet.org SECURITY Take steps to protect the physical security – Physical access to tech resources – Who is authorized to access restricted or sensitive areas – Locked rooms, cabinets – System for periodic inventory of equipment

19 www.msbanet.org SECURITY Develop a system for Security Logs – Ensure ALL significant security incidents are detected/logged/investigated/resolved – Especially “failed” login attempts – All unauthorized access to sensitive or critical system resources – Must be able to be effectively monitored

20 www.msbanet.org SECURITY Develop awareness program for staff/employees who have access to district’s information systems as part of employment – Enhance district data security by improving awareness of the need to protect system resources – Develop knowledge and skill to perform job more securely – Training, communication, create a process for reporting

21 www.msbanet.org SECURITY Documented policies and procedures for: – Resetting lost/compromised passwords – Requesting and receiving approval for access – Describing who is granted privileges – Notifying administrators of disabled accts – How to disable accounts – Reviewing user access to data

22 www.msbanet.org CONTINUTIY PLAN What happens if there is an emergency and the system goes down? – Need policies/procedures for restoration of critical systems/data – I.D. persons responsible for restoration of specific systems/data – Alternate processing facilities (off site?) – Back up data – Training of staff – Test the plan

23 www.msbanet.org DATA BREACH Develop a complete formal data breach response policy Security incident in which sensitive data or confidential data (PII) has potentially been accessed, stolen, used by an unauthorized individual Law requires recording of each incident US Dept of ED recommends all districts create a data breach response policy

24 www.msbanet.org DATA BREACH Policy should include – Goals for the response process – Include the definition of breach – Staff roles, Reporting, Remediation, Feedback mechanisms – “Well publicized” and available to all personnel whose duties include data protection – Backing up data?

25 www.msbanet.org VENDOR CONTROLS Establish a process for ensuring software the district purchases or uses complies with district’s data security principles. Maintain copy of all contracts with vendors that impact the district’s data or security Contracts must conform to FERPA when relevant Must require the vendor to appropriate security functionality for the district

26 www.msbanet.org THANK YOU! Scott Summers Director, School Laws Missouri School Boards’ Association summers@msbanet.org1.800.221.6722

Download ppt "SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT."

Similar presentations

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.

Chapter 43 An Act Relative to Improving Accountability and Oversight of Education Collaboratives Presentation to Board of Elementary and Secondary Education.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Information Security Policies and Standards

Information Security Policies and Standards
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Training Requirements Virginia Department of Health Summer Food Service Program (SFSP) 2014.

Training Requirements Virginia Department of Health Summer Food Service Program (SFSP) 2014.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.
Www.msbanet.org How The State Auditor Expects Districts to Comply With the Sunshine Law Susan Goldammer Missouri School Boards’ Association.

How The State Auditor Expects Districts to Comply With the Sunshine Law Susan Goldammer Missouri School Boards’ Association.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.

Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey 07458 All rights reserved. Health Information Technology and Management Richard.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Similar presentations

Ads by Google