Presentation is loading. Please wait.

Presentation is loading. Please wait.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

Published bySilvester Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat."— Presentation transcript:

1 Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat

2 Topics Part I: Policy Overview (Jason) Part II: What to do when there’s a breach (Karen) WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

3 Policy Goals Reduce our exposure Comply with laws and regulations Focus our information security efforts WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm Information Security is about maintaining our integrity, not our egos!

4 STOP HOARDING INFORMATION! On the topic of exposure… WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

5 You can’t compromise what’s not there REDUCE what we collect REDUCE what we duplicate REDUCE what we keep WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

6 Reduce your risk off campus Remote access or data encryption. Use a secure connection. Beware of un-trusted computers! WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

7 Don’t forget about Disposal! Make sure that all confidential information is erased or not recoverable before computers, electronic storage media, or other electronic devices are disposed of. See Electronic Media Disposal Guidelines WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

8 Information Security Policies, Standards, and Procedures Defense Production Act Privacy Laws Payment Card Industry DSS Policy Development: Avoid disjointed policy statements WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

9 Policy Documents Statement on Security of UW Computing and Network Resources Policy 8 – Information Security Statement on Electronic Business Breach Notification Procedure Computer Security Incident Response Procedure IT Security Standards (all under development) Mobile Device Security Standards Standards for Secure Hosting Password Policy WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

10 Security Classifications (from Policy 8) Confidential Restricted Highly Restricted WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm Public

11 Roles & Responsibilities (from Policy 8) Information Steward: Governs the use of information Information Custodian: Keeper of the information User: Makes use of the data WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

12 Example: Vision Test Results @ Optometry Who is the steward? Director, School of Optometry Who is the custodian? Support staff in Optometry who handle paper records. Systems Administrators of systems where results are stored. Who is the user? Faculty, and students in Optometry. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

13 Steward Responsibilities Classify information. Assess risk. Delegating operational responsibility to one or more Information Custodians. Establishing and maintaining rules and procedures. Ensuring Compliance. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

14 Custodian Responsibilities Knowing the rules, set by the steward. Understanding how information flows. Making sure information is available to authorized people and processes when needed. Making sure the integrity of information is maintained. Making sure information is not available to unauthorised people or processes. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

15 Tips for Classifying Data Classify information that is obviously public. Identify information that is Highly Restricted. Do you really need it? You need permission to use it. …then Restricted We can help you, if needed. Whatever’s left is either obviously confidential or it’s not obvious. The information steward makes the call on public vs. confidential. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

16 What to do when there’s a breach Information Security Breaches make headlines “Servers containing sensitive health information stolen” “Box of applications to university mistakenly thrown away” “Briefcase containing sensitive student information lost” WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

17 Despite your best efforts, there’s been a breach Server Memory stick with grades Information sent to wrong recipient Student assignments WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

18 What do I do? WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm Incident Security Breach Response Procedure ( http://www.adm.uwaterloo.ca/infosec/guidelines/breachprocedure.html ) http://www.adm.uwaterloo.ca/infosec/guidelines/breachprocedure.html Computer Security Incident Response Procedure (http://ist.uwaterloo.ca/security/policy/ir.shtml)http://ist.uwaterloo.ca/security/policy/ir.shtml Information Security Breach Circumvention of security controls Unauthorised use of information Unintended exposure of information Purposes Legislation Identifying the cause(s) and prevention

19 Incident Security Breach Response Procedure What happened? Act with care, but act with speed Contain / identify scope Nature of breach What was disclosed To whom And, for how long Advise others Contact the privacy coordinator to advise re: WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

20 Notice – what it might entail Restricted Information Personal information Personal health information Information subject to non-disclosure Passwords or private encryption keys Notice Extent and specifics Steps individuals should take to protect themselves Immediate and long term solutions Privacy Commissioner of Ontario / FIPPA WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

21 What’s the purpose of all this? Individuals may need to protect themselves Legislation It’s the right thing to do WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

22 Results Best Practices Local users.Others at UW. Lessons Learned? Changes to procedures?Useful information to share? Investigation Have notice requirements been met?Review circumstances of the breach. WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

23 Final thoughts Shared responsibility Treat others’ personal information as you would wish others to treat yours WatITis | Strengthening Collaboration | December 8, 2009 | Staying Ahead of the Storm

Download ppt "Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Privacy and Information Security Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy.

Privacy and Information Security Training ( ) VUMC Privacy Website
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA HIPAA Basic.

HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
Access & Privacy Chairs’ Compliance Workshop January 10, 2013.

Access & Privacy Chairs’ Compliance Workshop January 10, 2013.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Similar presentations

Ads by Google