Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Security Policies

Published byRaymond Leonard Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Security Policies"— Presentation transcript:

1 Data Security Policies
NC IIPS Winter Conference

2 Presenters Rod Brower Chief Information Officer
Sandhills Community College Jakim Friant Infrastructure Team Manager Cape Fear Community College

3 Why have a Data Security Policy?
Required by Standards Protect Important Data Local Data Usage Storage Sharing Transmitted Data Permission to Share What can be Shared How it can be Shared

4 Policies Governing Data Security
Federal Level FERPA HIPAA State Level NC DIT Policy IIPS Standard Local Level Focus for today: State Level -- IIPS Standard Local Level -- College Policy

5 IIPS Standard Security requirements as defined by NCCCS IIPS

6 IIPS Standard: 030203 Controlling Data Distribution and Transmission
1 of 3 IIPS Standard: Controlling Data Distribution and Transmission Purpose: To protect the College’s data and information from unauthorized disclosure. STANDARD Technical access controls or procedures shall be implemented to ensure that data and information are distributed only as authorized and as appropriate. Access controls and/or procedures shall, in part, be based on college business requirements. Once a business justification is provided, personnel shall adhere to the following standards: Confidential information should not be stored on personally owned devices. If information includes both confidential data and data available for public inspection, the classification level shall default to confidential. Electronic media entering or leaving offices, processing areas or storage facilities shall be appropriately controlled. Storage areas and facilities for media containing confidential data shall be secured and all filing cabinets provided with locking devices.

7 IIPS Standard: 030203 Controlling Data Distribution and Transmission
2 of 3 IIPS Standard: Controlling Data Distribution and Transmission Confidential information shall not be supplied to vendors, contractors or other external organizations without properly executed contracts and confidentiality agreements specifying conditions of use, security requirements and return dates. When confidential information is shipped, the delivery shall be verified. All confidential information shall be encrypted when transmitted across wireless or public networks1, including transmissions such as FTP and electronic mail. Confidential data shall be encrypted when stored on non-State owned devices and only by authorized users. Federally protected confidential data shall not be stored on non-State owned/managed devices. 1) For the purpose of this standard, a public network includes the State Network. It does not apply to internal College networks. Internal College networks are considered private networks.

8 IIPS Standard: 030203 Controlling Data Distribution and Transmission
3 of 3 IIPS Standard: Controlling Data Distribution and Transmission Encryption algorithms for the transmission of confidential data include, at a minimum, Secure Socket Layer (SSL) RC4 128 bit algorithms, SSL Server-Gated Cryptography (SGC) 128 bit algorithms, TLS bit algorithms, or those algorithms that are accepted and certified by the National Institute of Standards and Technology (NIST)2. 2) NIST

9 IIPS Standard: 010101 Defining Information
1 of 2 IIPS Standard: Defining Information Purpose: To protect the College’s information. STANDARD Information includes all data, regardless of physical form or characteristics, made or received in connection with the transaction of public business by any College or State government. The College’s information shall be handled in a manner that protects the information from unauthorized or accidental disclosure, modification or loss. All Colleges shall maintain a comprehensive and up-to-date database of their information assets and periodically review the database to ensure that it is complete and accurate.

10 IIPS Standard: 010101 Defining Information
2 of 2 IIPS Standard: Defining Information Each College, through its management, is required to protect and secure the information assets under its control. The basic information requirements include, but are not limited to: Identifying information assets and maintaining a current inventory of information assets. Complying with applicable federal and state laws, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and all applicable industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Assessing the vulnerability and risk associated with information assets. Determining the value of information assets to the organization and the business processes they support. Providing the level of information protection for information assets that is appropriate to their vulnerability, risk level, and organizational value. Maintaining a business and disaster recovery plan with respect to information technology and process.

11 IIPS Standard: 010103 Storing and Handling Classified Information
1 of 3 IIPS Standard: Storing and Handling Classified Information Purpose: To protect the College’s Information, including information security records, through the establishment of proper controls. STANDARD The College’s information, data and documents shall be handled in a manner that will protect the information, data and documents from unauthorized or accidental disclosure, modification or loss. All information, data and documents must be processed and stored in accordance with the classification levels assigned to those data in order to protect their integrity, availability and, if applicable, confidentiality. The type and degree of protection required shall be commensurate with the nature of the information, the operating environment, and the potential exposures resulting from loss, misuse or unauthorized access to or modification of the data. A College that uses confidential information from another College shall observe and maintain the confidentiality conditions imposed by the providing College if legally possible. Colleges shall ensure that confidential information in electronic form is properly protected in transport or transmission.

12 IIPS Standard: 010103 Storing and Handling Classified Information
2 of 3 IIPS Standard: Storing and Handling Classified Information Special protection and handling shall be provided for information that is covered by statutes that address, for example, the confidentiality of financial records, taxpayer information and individual census data. The College shall manage and protect confidential information if provided to any external entity. The records disclosed that are confidential because the records disclose information technology security features shall be designated by affixing the following statement, “Confidential per G.S. § (c)”, on each page. The College shall be committed to the concern for and the protection of students’ rights and privacy of information The College will comply with the provisions of the Federal Family Rights and Privacy Act (FERPA), which is a federal law that governs the maintenance of students’ records. Under law, students have the right to inspect their educational records, correct inaccuracies in the records, if warranted, and the records are protected from release of information without written consent. The parent(s) of a dependent student as defined in Title 26 U.S. C.s152 of the Internal Revenue Code also has this right to inspect records that are maintained by the College on behalf of the student.

13 IIPS Standard: 010103 Storing and Handling Classified Information
3 of 3 IIPS Standard: Storing and Handling Classified Information Confidential information technology security records shall be provided only to agencies and their designated representatives when necessary to perform their job functions. College shall ensure that confidential information is properly protected in transport or transmission. College shall ensure that all confidential information and related files under the college’s control in electronic format are handled properly and secured accordingly. Use of such information shall be in compliance with all applicable laws and regulations and limitations imposed by contract(s). Confidential information technology security records shall not be transmitted electronically over public networks unless encrypted while in transit. See standard – Controlling Data Distribution and Transmission for the minimum requirement for encrypting data in transit. Employees who are provided access to information technology security records shall sign a non-disclosure agreement that includes restrictions on the use and dissemination of the records. Colleges shall ensure that legal and business risks associated with contractors' access are determined, assessed and appropriate measures are taken. Such measures may include, but are not limited to, non-disclosure agreements, contracts, and indemnities.

14 Local Policy Example From CFCC Process:
Data Sharing Request initiated by a Department Questionnaire Sent to Vendor and Dept Reviewed by IT Services and the Information Technology Committee

15 Data Sharing Agreement
This document defines the requirements for a department at your school and also the requirements that should be met by the vendor. Policy and procedures as defined by your college and governed by the other standards that colleges are required to follow.

16 Data Sharing Agreement: Questions for the Department
The department initiating the request is asked to consider the following… Purpose Regulations Data Flow Data Disposal

17 Data Sharing Agreement: Questions for the Vendor
The vendor is asked to respond with details on how they will protect the data that is being sent to them… Organizational Oversight Data Security Process for Reporting Problems

18 Examples at CFCC Financial Aid -- uses HTTPS upload
Human Resources -- SFTP and preshared keys (host and user) NC State -- encrypted with GnuPG Concessions -- Dropbox account Registrar -- OneDrive shared file

19 Questions?

Download ppt "Data Security Policies"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.

Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Auditing Computer Systems

Auditing Computer Systems
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Similar presentations

Ads by Google