Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proposed Information Security Policy Changes

Published byEustace Powell Modified over 6 years ago

Similar presentations

Presentation on theme: "Proposed Information Security Policy Changes"— Presentation transcript:

1 Proposed Information Security Policy Changes
CIO Council | June 27, 2016 | Smith Campus Center

2 Purpose and Intended Outcome
To review with the CIO Council the proposed changes to the Information Security Policy Intended Outcome: Agreement to proceed with the proposed changes, effective 9/1/2016, or an understanding of the concerns that would prevent such agreement

3 Agenda We will review: The (first) annual Information Security Policy review process and stakeholders Proposed changes to the Information Security Policy as a result of that process The communication, education and training plans in support of the changes Any concerns you have

4 Information Security Policy review process
Background: While we debuted a new Information Security Policy in 2013, we have never had a formal process to review and update this or the previous policy Annual Policy Review Process: Anyone may suggest a change to an Information Security Council (ISC) member [by March, COMPLETED] ISC member reviews and suggests to Information Security Steering Group (ISSG) as appropriate [by March, COMPLETED] ISSG reviews all suggested changes and recommends updates to Information Security Council (ISC) [April, COMPLETED] ISC approves changes to How-To’s and agrees to recommend changes to Requirements to CIO Council [April-May, COMPLETED] CIO Council approves changes to Requirements [June,2016 – IN PROGRESS] Changes are effective September 1, 2016

5 Summary of Proposed Information Security Policy Changes - 2016
Topic From To Encrypt mobile devices Roundabout implication that mobile devices should be encrypted (“protected against access if the device is lost or stolen”) Clearly stated requirement that mobile devices that store or access Harvard information must be encrypted Level 4 data on user devices Clarify that Level 4 data may be stored on approved encrypted portable media Password complexity All passwords must meet complexity requirements Passwords of more than 20 characters in length have no other requirements Use of HarvardKey Servers or applications with Level 3 or higher data must use HarvardKey Password management Unclear security requirements for systems that manage passwords No special requirements for Active Directory Clarify that systems that manage passwords must meet Level 4 requirements Includes new standards for Active Directory Social Security Numbers Implicit that systems with SSNs must meet Level 4 requirements Four new specific requirements: Reiterate that systems with SSNs must meet all Level 4 requirements Keep SSNs only when required by law Dispose of or archive records with SSNs when not required by law Report location and volumes of SSNs annually Effective as of 9/1/2016 – see full text in attached Microsoft Word document

6 Policy Communication, Education, and Training
Message/Objective Audience Delivery Method Timing Announcement of policy updates and community responsibility to uphold Entire university from Provost Alan Garber Beginning of September Local/School support of policy updates School Security Officers Communicator toolkit, e.g. website content, PPT slides How-to explanations for new requirements, e.g. activate encryption on a laptop Security website content Quick Reference Card for classifying, handling, disposing of data Printable job aid posted on Security website Fall 2016 Overview of policy and how to apply it in common use cases Staff and faculty who handle confidential data Online training (Harvard Training Portal)

7 Questions and Concerns

Download ppt "Proposed Information Security Policy Changes"

Similar presentations

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Basic Data Safety Practices That Can Prevent Malpractice Claims & Ethics Violations Grant County Bar Association June 14, 2011 Kim J. Brand PresidentFounder.

Basic Data Safety Practices That Can Prevent Malpractice Claims & Ethics Violations Grant County Bar Association June 14, 2011 Kim J. Brand PresidentFounder.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Veni Vidi Vista … I came, I saw … I supported! ResNet Symposium 2007 UC San Diego.

Veni Vidi Vista … I came, I saw … I supported! ResNet Symposium 2007 UC San Diego.
Privacy and Security Risks in Higher Education

Privacy and Security Risks in Higher Education
Practical Information Management

Practical Information Management
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
ESCCO Data Security Training David Dixon September 2014.

ESCCO Data Security Training David Dixon September 2014.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.

What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.

STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.
SPH Information Security Update September 10, 2010.

SPH Information Security Update September 10, 2010.
Project Management Plan HOW TO PROCESS SEARCHES AND NEW HIRE TRANSACTIONS FOR REGULAR FACULTY (HT-REG) Online Course Development Presented to: Dr. Nancy.

Project Management Plan HOW TO PROCESS SEARCHES AND NEW HIRE TRANSACTIONS FOR REGULAR FACULTY (HT-REG) Online Course Development Presented to: Dr. Nancy.
STRATEGY SESSION SEPTEMBER 15, 2008 3-YEAR SECURITY DISCUSSION 1 NETWORK PLANNING TASK FORCE.

STRATEGY SESSION SEPTEMBER 15, YEAR SECURITY DISCUSSION 1 NETWORK PLANNING TASK FORCE.
The Government Recordkeeping Survey 2008 Natalie Dewson, Senior Advisor, Government Recordkeeping Programme, Archives New Zealand.

The Government Recordkeeping Survey 2008 Natalie Dewson, Senior Advisor, Government Recordkeeping Programme, Archives New Zealand.
One-Time Password Specifications (OTPS): Overview, Workshop Agenda, and Process DRAFT – 18 May 2005.

One-Time Password Specifications (OTPS): Overview, Workshop Agenda, and Process DRAFT – 18 May 2005.
Chapter 2 Securing Network Server and User Workstations.

Chapter 2 Securing Network Server and User Workstations.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Robert Ono Office of the Vice Provost, Information and Educational Technology September 9, 2010 TIF-Security Cyber-safety Plans for 2010.

Robert Ono Office of the Vice Provost, Information and Educational Technology September 9, 2010 TIF-Security Cyber-safety Plans for 2010.
HIPAA Security Final Rule Overview

HIPAA Security Final Rule Overview

Similar presentations

Ads by Google