1. Information Security Office Protecting Privacy in the New Millennium © Copyright 2002. Melissa Guenther, LLC. All rights reserved. Kelley Bogart – Information Security Coordinator Co-Chair EDUCAUSE Security Awareness Task Force

2. Information Security Office  Understand:  the driving forces behind privacy regulation  key privacy terms and concepts  obligations under the privacy regulations  Perform your job functions in a manner consistent with the privacy requirements  GBLA Terms and Definitions Objectives

3. Information Security Office Privacy training is about teaching employees the things they need to know about privacy Privacy Awareness is about keeping employees mindful of the things they have learned about privacy and the responsibilities they have with respect to privacy Practical Applications

4. Information Security Office Family Education Rights & Privacy Act FERPA

5. Information Security Office FERPA  keystone federal privacy law for educational institutions  imposes confidentiality requirements around student educational records  prohibiting institutions from disclosing "personally identifiable education information" such as grades or financial aid information without the student's written permission.  provides students with the right to request and review their educational records and to make corrections to those records.  law applies with equal force to electronic and hardcopy records.

6. Information Security Office Gramm-Leach Bliley Act GLBA

7. Information Security Office This act applies to the U of A, however since we are required to comply with the Family Education Rights & Privacy Act (FERPA), the U of A is not subject to the GLBA privacy rules. We are subject to the Security area of GLBA. The U of A Security Plan http://security.arizona.edu/gramm-leachblileyact.html

8. Information Security Office Gramm-Leach-Bliley Act (GLBA)  applicable to financial institutions, colleges & universities and was enacted in 1999.  requires that the U of A protect customer financial information including the personal identifying information such as names, addresses, account, credit information and Social Security numbers.  Federal Trade Commission (FTC) regulations implementing the GLBA specifically provide that colleges and universities will be deemed in compliance with the privacy provisions of the GLBA if they are also in compliance with the Family Education Rights & Privacy Act (FERPA).  GLBA compliance was required by May 23, 2003 and requires the U of A to:  develop a comprehensive security program,  assess the need for employee training, and  include obligations in their agreements with third parties that have access to financial records covered by the GLBA.

9. Information Security Office Protection - initial scope of Act is to Safeguard Customer information Detection - requires Security Awareness Training to support the information security program in general, not just customer information Reaction - special emphasis in the Security Awareness training should include component to train employees about what they need to do to protect customer information

10. Information Security Office Health Insurance Portability and Accountability Act of 1996 (HIPAA)  enacted to protect the rights of patients and participants in certain health plans.  requires that health records be protected and to help protect against unauthorized disclosure of this information.  includes patient data at Universities and used in Research studies.

11. Information Security Office American public has shown strong concerns about the privacy of its personal information - buying habits, medical records and financial information. One purpose of the many privacy regulations is to help protect people against the unwanted sharing of personal information. Why Privacy?

12. Information Security Office The intent of the safeguards is threefold:  Insure the security and confidentiality of customer records;  Protect against any anticipated threats or hazards to the security or integrity of the records; and,  Protect against unauthorized access to or use of customer that could result in substantial harm or inconvenience to any customer.

13. Information Security Office  Written Security Program  Board of Director Approval  Risk Assessment  Manage and Control Risk  Appropriate Measures  Oversee Service Providers  Monitoring of Program Administrative, Technical, And Physical Safeguards for Customer Records and Information Standards

14. Information Security Office  Restrict access to client information to those that need to know.  Ensure client information is not visible or accessible to others.  Do not discuss client information in places where others may overhear  Do not share existing passwords with anyone or give old passwords to new employees when contractor leaves.  Discard old or used client information appropriately Confidentiality and Security of Clients

15. Information Security Office Refers to data collectors' responsibility to take reasonable steps to ensure that information collected from consumers is accurate and secure from unauthorized use Safeguards: required to develop policies to prevent fraudulent access to confidential financial information. Policies must be disclosed to all customers. Security

16. Information Security Office Adverse consequences include:  Cease and desist orders.  Civil money penalties may also be imposed.  Negative press and loss of public confidence  Corporate and personal penalties Penalties for Non Compliance

17. Information Security Office Company web site? Email marketing? Data collection and storage? Employee awareness and actions? Vulnerabilities Whenever personally identifiable information is gathered, stored or processed, it is possible that the privacy of some individuals may be threatened.personally identifiable information

18. Information Security Office What Can You Do to Ensure Privacy Compliance? Top Eight List for an Aware Enterprise

19. Information Security Office Keep it in a secure environment Keep food, drink, and cigarettes AWAY from it. Know where the fire suppression equipment is located and know how to use it 8. PROTECT YOUR EQUIPMENT

20. Information Security Office Keep unauthorized people AWAY from your equipment and data Politely challenge strangers in your area 7. PROTECT YOUR AREA

21. Information Security Office Never write it down or give it to anyone Don't use names, numbers or dates which are personally identified with you Change it often, but change it immediately if you think it has been compromised 6. PROTECT YOUR PASSWORD

22. Information Security Office Don't allow unauthorized access to your files and data NEVER leave your equipment unattended with your password activated - SIGN OFF! Password Protected screen saver 5. PROTECT YOUR FILES

23. Information Security Office Keep your anti-virus software up to date Do not open unexpected email attachments Don't use unauthorized software Back up your files before implementing ANY new software 4. PROTECT AGAINST VIRUSES

24. Information Security Office If the data or information is sensitive or critical to your operation, lock it up! Human leak – do not discuss confidential information of any customer inappropriately 3. LOCK UP STORAGE MEDIA CONTAINING SENSITIVE DATA

25. Information Security Office Keep duplicates of your sensitive data in a safe place, out of your immediate area Back it up as often as necessary 2. BACK UP YOUR DATA

26. Information Security Office AND…#1 on the list of things to support security

27. Information Security Office  Tell your manager or contact Security if you see any unauthorized changes to your data  Immediately report any loss of data or programs, whether automated or hard copy  Report all suspicious email  Immediately report any contact (face –to-face, phone, email) from someone you don’t know asking for confidential information REPORT SECURITY VIOLATIONS

28. Information Security Office Safeguard customer data at your Work station - Password Protected Screen Saver - Password construction & management - Shredding - Incident Reporting - Email Guidelines - Data Classification Matrix - ID Badges - Visitor Control -Clean Desk

29. Information Security Office Verify customer identity before information is released - Social Engineering - Incident Reporting - Visitor Control - Identity Theft

30. Information Security Office Respect access restrictions to customer information files - Password Construction and management - Email encryption

31. Information Security Office Keep customer information confidential, refrain from sharing customer information in conversations with other employees and outside parties -Phone conversations -Social Engineers -Fax machines -Shredders -Informal, social gatherings -Email

32. Information Security Office Know and follow the University’s Online Electronic Privacy Policy Finally http://security.arizona.edu/uaelectprivstmt.htm

33. Information Security Office A statement of:  how and why a company collects information  what it does with it  what choices you have about how it is used  whether you can access the information  what is done to assure that the information is secure Electronic Privacy Statement

34. Information Security Office SEC- -Y If not you, who? If not now, when?

35. Information Security Office Resources at the University of Arizona Kerio Firewall https://sitelicense.arizona.edu/kerio/kerio.shtml Sophos Anti Virus https://sitelicense.arizona.edu/sophos/sophos.html VPN client software https://sitelicense.arizona.edu/vpn/vpn.shtml Policies, Procedures and Guidelines http://w3.arizona.edu/~policy/ Security Awareness http://security.arizona.edu/awareness.html

36. Information Security Office University Information Security Office Bob Lancaster 4 University Information Security Officer 4 Co-Director – CCIT, Telecommunications 4 Lancaster@arizona.edu 4 621-4482 Security Incident Response Team (SIRT) 4 sirt@arizona.edu 4 626-0100 Kelley Bogart 4 Information Security Coordinator 4 Bogartk@u.arizona.edu 4 626-8232