Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wednesday, November 7, 2012.

Published byAbigayle Harmon Modified over 7 years ago

Similar presentations

Presentation on theme: "Wednesday, November 7, 2012."— Presentation transcript:

1 Wednesday, November 7, 2012

2 Create a Comprehensive Information Security Program With Limited Resources
Dana German, CTO, Albright College Please complete this simple survey before we begin: Tweet Using: #E12_SESS058 November 7, 2012

3 • 23 states and 19 countries represented
• 1,600 day students • 23 states and 19 countries represented • 27% students of color • 4% international students • Full-time faculty: 110 • 12:1 student/faculty ratio

4 Albright IT Services Technology infrastructure and learning focused technologies Technology training Computer replacement/deployment and support IT Help Desk and Media Services Enterprise applications/business process improvement/reporting Information Security (no dedicated staff)

5 What We’ll Cover… Core Policies Data Stewardship Framework
Data Classification Standard Electronic Procedures for Highly Sensitive Data Enterprise Systems Inventory & Classification Risk Management (Risk Assessment Plans; DR Plans; Vendor Contracts) User Training Other Important Considerations

6 Survey Results… What’s the status of YOUR information security programs?

7 Core/Foundational Policies
Acceptable Use Policy Administrative Data Management & Access Policy (including Data Stewardship) Data Classification Standard

8 Acceptable Use Policy Protection of individual user
account credentials Protection of institutional computer systems and data Access only to authorized information Software licensing and copyright issues Compliance with federal and state laws and other college/university policies

9 Administrative Data Management & Access Policy

10 Administrative Data Mgt & Access Policy
The purpose of this policy is to define access, controls and protection of the college’s administrative data. Administrative data maintained by the institution is a vital information asset that will be available to all employees who have a legitimate need for it, consistent with the institution's responsibility to preserve and protect the integrity of the data, and to ensure the privacy of sensitive data. The institution is the owner of all administrative data; individual units or departments have stewardship responsibilities for data domains, or portions of the data.

11 Administrative Data Mgt & Access Policy
Roles and responsibilities of Data Trustees, Data Stewards, Data Users Responsibilities of Data Management Group Data Classification Standard

12 Data Steward Responsibilities
Approval of user access and authorization Ongoing annual reviews of security profiles User acceptance/sign-off for system upgrades, enhancements, changes Data integrity and accuracy User training Procedures for safeguarding restricted data

13 DATA DOMAIN DATA TRUSTEE DATA STEWARD Traditional Undergraduate Admission Data VP for Enrollment Management & Dean of Admission Director of Enrollment & Information Services ADP Admission & Student Data Provost and VP for Academic Affairs Director of the Accelerated Degree Programs Student Academic Data, Course Schedules and Enrollment Data Registrar Housing Data VP for Student Affairs & Dean of Students Director of Housing & Residential Learning Student Affairs/International Students & Community Standards Assistant Dean & Students

14 DATA DOMAIN DATA TRUSTEE DATA STEWARD Health Services Data VP for Student Affairs & Dean of Students Assistant Dean of Students & Director of the Gable Health Center Finance & Student Accounting Data VP for Administrative & Financial Services Associate VP/Controller ID Card/Access Data ID Card/Dining, Debit Director of Public Safety Senior Accountant Human Resource Data Associate VP and Director of Human Resources Payroll Data

15 DATA DOMAIN DATA TRUSTEE DATA STEWARD Student Financial Aid Data VP for Enrollment Management & Dean of Admission Director of Financial Aid Advancement/Alumni Data VP for Advancement Director of Advancement Information Systems Athletics Data VP for Enrollment Management and Dean of Admission Director of Athletics Learning Management Systems Provost and VP for Academic Affairs LMS Application Administrator Parent Data Comparative Institutional Data Director, Institutional Research

16 Data Classification Standard
Public Data Restricted Data - By default, all administrative data not explicitly defined as either Highly Sensitive or Public are classified as Restricted Data. Examples of Restricted Data include student grades and faculty/staff salaries. Highly Sensitive Data

17 Data Classification Standard
Highly Sensitive Data: The first name or first initial and last name in combination with: SSN # Driver’s License Nbr or State Issued ID # Credit Card #s Banking Acct #s

18 Electronic Storage of Highly Sensitive Data Procedure
Highly Sensitive Data must not be stored or kept on any non-network storage device or media. Prohibited storage media includes storage on desktop computers, laptop computers, PDAs, cell phones, USB drives, thumb drives, memory cards, CDs, DVDs, local external hard drives and other USB devices, unless specifically approved encryption methodologies have been utilized. Highly Sensitive data cannot be distributed, including via or attachment, unless via approved encrypted means. Exceptions to the procedures for the electronic storage of Highly Sensitive Data must be approved by the appropriate division Vice President in consultation with the Chief Technology Officer. Approved exception requests will be documented to ensure the implementation of acceptable data encryption protocols.

19 Enterprise System Inventory & Classification
Tier (1,2,3) Highly Sensitive? Externally Hosted? PowerCAMPUS 1 Y Dynamic GP Fac/Staff N Student School Dude 3 Housing Director 2 Network File Shares

20 Technical Std for Enterprise System Classification, Risk Mgt & DRP
If Tier 1 and internally hosted, documented DRP required, with annual testing of plan If Tier 1 and externally hosted, should have DRP described in vendor contract If highly sensitive and internally hosted, documented RA required, with annual RA review If highly sensitive and externally hosted, various vendor contractual requirements

21 Vendor Contractual Requirements
Network Security Data Security Data Storage Data Sharing/Access/Transmission Data Encryption End-of-Agreement Handling Security Breach Obligations/Notifications Audit Review Disaster Recovery

22 Information Security Awareness Training
Institutional Policies Secure Computing Practices Incident Handling

23 Other Considerations (but there are many more!)
Technical standards for backup and restoration Technical standards/procedures for electronic data removal from hard drives Technical standards/procedures for change control Software testing Website/page security checklist Wireless standards Remote access standards

24 Thank you for attending !!
Dana German, CTO, Albright College Phone: Tweet using #E12_SESS058

Download ppt "Wednesday, November 7, 2012."

Similar presentations

FERPA: Family Educational Rights and Privacy Act

FERPA: Family Educational Rights and Privacy Act
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
FERPA: Family Educational Rights and Privacy Act.

FERPA: Family Educational Rights and Privacy Act.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Boston College Three Best Practice Models for for Student Service Delivery Student Service DeliveryEDUCAUSE October 3, 2002 Rita R. Owens Associate Academic.

Boston College Three Best Practice Models for for Student Service Delivery Student Service DeliveryEDUCAUSE October 3, 2002 Rita R. Owens Associate Academic.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Protecting Sensitive Information PA Turnpike Commission.

Protecting Sensitive Information PA Turnpike Commission.

Similar presentations

Ads by Google