Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/2/2015 Data Classification Standard & Data Management Procedures By: John L. Baines Leo Howell Jeff Webster.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "6/2/2015 Data Classification Standard & Data Management Procedures By: John L. Baines Leo Howell Jeff Webster."— Presentation transcript:

1 6/2/2015 Data Classification Standard & Data Management Procedures By: John L. Baines Leo Howell Jeff Webster

2 6/2/2015DCS & DMP 2 Introduction InformationTHE Information is THE primary asset at the University Securitycustody Security & custody are now both strong issues Pressgovernance Press & governance showing increased attention University reputation The University reputation is at stake

3 6/2/2015DCS & DMP 3 Increasingly Complicated Compliance Constraints StatuteType of requirementUniversity data Example location FERPAFederal lawStudent records Faculty PC or server HIPAAFederal lawHealth recordsAthletics dept. GLBAFederal lawFinancial dataFinancial Aid PCI DSSPayment Card Industry - Data Security Std. Credit card data Bookstore server SB 1048State Identity Theft lawSSN, etc.R & R State Employee Personal Information Privacy law Staff dataPayroll Federal Grants Contract requirementsResearch materials Lab PC

4 6/2/2015DCS & DMP 4 Reported in an Athens News article 06-12-2006 Hackers gained access to personal data Including SSNs of 200,000 students and alumni Multiple incidents More than $77,000 spent sending letters Blow to alumni goodwill A number of writers to the University have expressed –Anger –Frustration –Reluctance to donate any more money to OU –Requested bill for time –Questions about competence & integrity –Threat of class-action lawsuits! Ohio University

5 6/2/2015DCS & DMP 5 Educational Institutes Seen as Easy Marks Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’ ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney

6 6/2/2015DCS & DMP 6 Technology Makes Risk Higher EVERYONE On the Internet EVERYONE lives next door! Low-cost high-speed portable data storage Corsair Flash Voyager 1GB USB 2.0 Flash Drive Final Price: $9.99 Enough to store all University SSNs!!!

7 6/2/2015DCS & DMP 7 Not Just IT Anymore Athletics Downloa d Dept level Portable data IPR Text A/V Web Finance HR If it ever was ! Electronic & Physical

8 6/2/2015DCS & DMP 8 Two Draft Regulations - DCS & DMP Joint effort – RMIS & ITD Data Classification Standard (new) –Sensitivity of data –Security and privacy –Consistency Data Management Procedures (revised) –Responsibility and accountability –Authorization for access –Custody of information copies

9 6/2/2015DCS & DMP 9 Data Classification Standard - DCS University data –Identification –Confidentiality and sensitivity –Classification –Protection –Consistency

10 6/2/2015DCS & DMP 10 High Impact to business Significant financial loss Violates laws, agreements, or regulations. Moderate NOT Red but Adversely affects the University Normal NOT Yellow but Authorization required to modify or copy Based on Security from Data Classification Standard E.g., a laptop with access to social security numbers operates in the Red zone E.g., a server with only published materials may require merely Green zone protection Three Virtual Protection Zones Security follows data

11 6/2/2015DCS & DMP 11 Current DMP – Data Management Procedures University Regulation 8.00.3 Original approved January 1990 Served the University very well Is detailed and specific to: –Centrally managed data –Enterprise information systems New draft simplifies and extends to rest of University

12 6/2/2015DCS & DMP 12 The New Draft DMP Current DMP outline intact About 25% of original text Shortened text length from 8 pages to 4.5 pages Deleted specific references to RMIS internal procedures Updated the list of Data Trustees, Stewards, and Custodians Made a separately maintained table for: –Data Categories –Data Trustees –Data Stewards –Data Custodians Generalized and simplified the DMP Foundation and framework: –Management of any and all University data –Electronic and physical copies RMIS, Colleges, and Departments will: –Develop their own more detailed procedures –Establish relevancy to their own very specific data protection needs.

13 6/2/2015DCS & DMP 13 Logical Organization from DMP

14 6/2/2015DCS & DMP 14 Data Steward Classifies Data Establishes guidelines for his or her data Sets appropriate privacy / security level Avoids compliance findings Delegates authority, responsibility, and accountability DMP and DCS work hand in hand

15 6/2/2015DCS & DMP 15 User Responsibilities Store data under secure conditions Make every reasonable effort to ensure the appropriate level of data privacy is maintained Use the data only for the purpose for which access was granted Not share IDs or passwords with other persons Securely dispose of sensitive University data

16 6/2/2015DCS & DMP 16 Possible Next Steps Guidance and awareness (we will work to develop guides; for example, a checklist to help classify data) Possible specific standards for protecting data based on classification level Training program for new data stewards, data custodians, and security administrators Security awareness program for users Resources for Campus Groups –ITD security staff –RMIS Information Assurance & Security area

17 6/2/2015DCS & DMP 17 So how do these regulations really affect me?

18 6/2/2015DCS & DMP 18 Examples – General Most administrative “business” data was already covered by the previous DMP so Data Trustees, Data Stewards, and Data Custodians are already defined and have established processes for administrative data For other data on campus, similar processes may already be followed and you should make sure they are documented

19 6/2/2015DCS & DMP 19 Examples – Data Extracts For users/groups that have received permission to make local copies of data, the Data Trustee and Data Steward are defined by the original data - The copiers have simply made themselves the Data Custodians for their own local copy This was the case under the previous DMP and Information Security Acknowledgement form, it has hopefully been clarified in the new draft DMP

20 6/2/2015DCS & DMP 20 Examples – Data Extracts with Local Additions If you are taking a data extract and adding extra local information to the data set, then this additional data is a new Data Category and needs a trustee, steward, and custodian In developing any process for who can access and use the combined data extract and local additions, you need to work with the other Data Steward(s) since the data is not all yours

21 6/2/2015DCS & DMP 21 Examples – Building Plans Building plans and other area design plans are very valuable records, since they show how the building is put together There are several areas of data custody that need to be considered –Access limits because of sensitivity of the plans –Preservation of original plans –Defined source of the current master copy of a building plan –Procedures for allowing updates to master building plans

22 6/2/2015DCS & DMP 22 Examples – Fundraising During fundraising drives and other donation collection programs, a lot of potentially sensitive information may be collected about the individual donors –Name –Address –Bank or Credit Card numbers –Other financial information Access to this data and its safe storage and disposal are your biggest concerns

23 6/2/2015DCS & DMP 23 Examples – Research Data Research Data is somewhat messy In general, you will probably end up with these roles: Data Trustee – Dean Data Steward – PI Data Custodian – PI, local IT, grad student The two biggest issues to address are: –Who can access the data –Is the data stored safely

24 6/2/2015DCS & DMP 24 ‘Do Nothing’ Alternative For those found to have responsibility for the data: –Compliance failures –Data compromises –Theft of information –Lawsuits –Fines –Loss of reputation More stringent University-wide data control regulations that: –Can not take into account special characteristics of individual data items –Place unnecessary controls on all sensitive data in a more arbitrary way

25 6/2/2015DCS & DMP 25 Benefits Establishes consistency in handling sensitive data Clarifies authority, responsibility, and accountability for the security of data Delegates appropriately Simplifies audit and oversight Helps avoid embarrassing data leaks Guards against severe financial and legal penalties for compliance findings

Download ppt "6/2/2015 Data Classification Standard & Data Management Procedures By: John L. Baines Leo Howell Jeff Webster."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.

FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
Randy Benson RHQN Executive Director May, 2012. Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)

Randy Benson RHQN Executive Director May, Compliance Issues During Survey Compliance Officers monitor healthcare facilities (hospitals and clinics)
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.

Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google