it s ecurity p olicy and c ompliance 07/22/2013 connie barling information security officer alice...
TRANSCRIPT
![Page 1: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/1.jpg)
![Page 2: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/2.jpg)
IT SECURITY POLICY AND COMPLIANCE
07/22/2013
Connie BarlingInformation Security Officer
Alice MaginnisAssociate University Counsel
Robin KnappComptrollers, Redbird Card Office
Jess RayRegistrar
![Page 3: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/3.jpg)
AGENDA
• 9.8 Policy and Procedures• Compliance• PCI• FERPA
![Page 4: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/4.jpg)
9.8 POLICY AND PROCEDURES
![Page 5: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/5.jpg)
9.8 POLICY ON SECURITY OF INFORMATION
TECHNOLOGY RESOURCES AND SYSTEMS
Framework to protect Illinois State University’s information technology resources, computers, networking systems, and data.
![Page 6: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/6.jpg)
SECURING THE DATA9.8.1 PROCEDURE ON DATA CLASSIFICATION
Data Classifications
•Highly Restricted
•Restricted
•Unrestricted
![Page 7: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/7.jpg)
SECURING THE DATA9.8.2 PROCEDURE FOR SECURING AND ACCESSING EACH
DATA/SYSTEM CLASSIFICATION
Data Resource Types •Non-Electronic Media
•Electronic Media–University owned, maintained, or contracted servers–University owned, maintained, or contracted workstations–Personally owned workstations
![Page 8: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/8.jpg)
SECURING THE DATADATA RESOURCE TYPES – CONT.
•Electronic Media – cont.–University owned or maintained laptop computers–Personally owned laptop computers–University owned or maintained mobile devices–Personally owned mobile devices–University owned, maintained, or contracted printers, scanners/faxes, multi-function devices, and electronic surveillance devices
![Page 9: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/9.jpg)
9.8.2 identifies Standards Working GroupsThese are being developed by a team consisting of AT and University Security personnel
•Account and Password Standard
•Minimum Security Standards for Servers
•Minimum Security Standard for Workstations
•Minimum Security Standard for Laptops Minimum Security Standard for Mobile Devices
•Minimum Security Standard for Printers/Scanners/Faxes, and Multi-Function Devices.
•Encryption Standard Remote Access Standard
SECURING IT RESOURCES AND SYSTEMS
![Page 10: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/10.jpg)
• Computer systems and other electronic devices store information on a variety of media. It is important that all licensed software, "highly restricted" data, and "restricted" data are thoroughly sanitized from University-owned devices (computers, tablets, smart phones, etc.) before they are surplussed.
• The State of Illinois requires that all surplussed equipment be disposed of in accordance with the Data Security on State Computers Act.
DATA DISPOSAL
Knowledge base article on the Technology Support Center website
![Page 11: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/11.jpg)
OVERVIEW OF SECURITY ROLES9.8.3 PROCEDURES FOR DEFINING ENTERPRISE DATA REPOSITORY MANAGEMENT ROLES AND RESPONSIBILITIES•Data Steward Council•Data Steward •Functional Owners •Data Custodians •Unit Security Liaisons •Information Security Officer •Information Architecture Team •Information Technology Security Incident Response Team (ITSIRT)
![Page 12: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/12.jpg)
USLs principal contact for data security related matters, request access for their unit•Request new or changes data access for unit•Security awareness•Review access list
ACCESS REQUEST9.8.4 PROCEDURES FOR REQUESTING AND GRANTING ACCESS TO THE ENTERPRISE DATA REPOSITORY
![Page 13: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/13.jpg)
ACCESS REVIEW 9.8.5 PROCEDURES FOR NON-AFFILIATED INDIVIDUALS REQUESTING ACCESS
• Must be sponsored • Method• Responsibilities
![Page 14: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/14.jpg)
What is an incidentInformation technology security incident - an event that: •Impacts or has the potential to impact the confidentiality, integrity, or availability of ISU Information Technology Resources and Systems. •Violates state or federal law or the policies and procedures of the University.
INCIDENT REPORTING9.8.6 PROCEDURE FOR IT SECURITY INCIDENT REPORTING
![Page 15: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/15.jpg)
Who should report an IT security incident?Any individual or group who in the course of using ISU Information Technology Resources and Systems observes an information technology security incident shall report that incident.
INCIDENT REPORTING –
![Page 16: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/16.jpg)
Where to report the incident?
Overview of IT Security Incident Reporting•Criminal Activity – ISU Police•Copyright violations – [email protected]•Violations of the Appropriate Use Policy – [email protected]•All other incidents – Unit Security Liaison
INCIDENT REPORTING –
![Page 17: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/17.jpg)
When a USL reports an IncidentThe classification of the Data involved in the Incident determines the urgency of reporting the Incident.
– Highly Restricted Data: Call 438-ITSR (438-4877) Immediately! Contain the Incident
• DO NOT POWER OFF THE SYSTEM
• Remove the system from the network if possible
• Wait to be contacted by the IT Security Incident Response Team (ITSIRT)
INCIDENT REPORTING –
![Page 18: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/18.jpg)
When a USL reports an Incident•Restricted Data: Complete the online IT Security Incident Report or call 438-ITSR
– Contain the Incident• DO NOT POWER OFF THE SYSTEM• Remove the system from the network if possible
– Wait to be contacted by the IT Security Incident Response Team (ITSIRT)
•Unrestricted Data: Complete the online IT Security Incident Report
– Repair the system and restore the service.
INCIDENT REPORTING –
![Page 19: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/19.jpg)
• Guiding Principles• Data Capture and Storage• Data Integrity, Validation, and Correction• Data Extracts and Reporting• Data Management• System Administration
SECURING IT RESOURCES AND SYSTEMS9.8.7 PROCEDURES FOR ADMINISTRATION OF THE ENTERPRISE DATA REPOSITORY
![Page 20: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/20.jpg)
ESIGNATURES9.8.8 ELECTRONIC SIGNATURE PROCEDURES
• Risk Assessment and implementation method
• Responsibilities• Developing and Implementing the
Process• Compliance
![Page 21: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/21.jpg)
ADMINISTRATIVE TECHNOLOGIES SECURITY WEB SITEAT.SHAREPOINT.ILLINOSSTATE.EDU/SECURITY
![Page 22: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/22.jpg)
COMPLIANCE
![Page 23: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/23.jpg)
LEGAL PROTECTIONS FOR DATA
• Electronic records and data are subject to numerous state & federal laws designed to protect privacy of sensitive information.
• University Data Classifications & Applicable Laws/Regulations – “Highly Restricted Data”
• Social Security Numbers• Health Information• Other Personal Information• Financial Data
– “Restricted Data”• FERPA Protected (Student Records)• Other Data
![Page 24: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/24.jpg)
HIGHLY RESTRICTED DATA
• Personal Information– Social Security Number– Birthdate (month, day, year)– Certificate/License Number– State Identification Card Number– Directory Information Restricted by
employee or student– Disability status– Driver’s License Number– Genetic or Biometric Information or
Identifiers– Marital Status– Medical records and personal health
information
• Financial Information– Account payment history– Application fee waiver– Bank account number/financial account
numbers– Credit or Debit Card Number– Redbird Account Number– Donation Information– Garnishment – Student Loan Accounts and
Information– Federal Student Aid Application and
Information
• University Records
– Human Resource Benefits Records– Job action material– Background Checks– Payroll information– Internal Audit Records– Investigator ID– Electronic Surveillance– Library Material Checked Out– Location or management of hazardous
materials– Network diagrams– Passwords, passphrases, PIN– Police Reports Detail– Personally identifiable information (PII)
human subjects– Student Application Criminal History (self-
reported) Status– Counseling Center Records
![Page 25: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/25.jpg)
RESTRICTED DATA• Other Data
– Facility Availability– Facility Floor Plans/Diagrams– Facility Maintenance Records– Facility Work Orders– Gender– Military Status– Personnel Record– Race/Ethnicity– Staff Calendar/Scheduling– Staff Sick and Vacation Time
Used– Student Course Evaluations– University ID data (employee)– Veteran Status– Wellness Center Program
Information– Work Authorization (I-9)
• FERPA Protected
– Community Rights and Responsibilities Records
– Dining Hall Usage
– Electronic Door Access Records (if student)
– Student Fitness Center Membership and Usage
– Student Evaluations
– Student Grades
– Student Schedules
– University ID data (student)
– Veteran status (student)
![Page 26: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/26.jpg)
• University Policy 1.13 Identity protectionSSNs can be collected for ONLY limited purposes required by law such as:
• Mandatory IRS withholding & reporting from students, vendors, employees.
• Entering into financial transactions.
– SSN Disclosure ONLY permitted with consent or when required by law.
• Collecting Social Security Numbers When Required By Law
– A statement must be provided explaining the purpose of collecting the number and whether the request is voluntary or mandatory.
SOCIAL SECURITY NUMBER
![Page 27: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/27.jpg)
• SSNs may not:– Be publicly posted or displayed– Be transmitted over the Internet, unless the connection is secure or
the SSN is encrypted. SSN’s should not be required to be used to access University resources.
– Be e-mailed or otherwise delivered to the individual, except when:• Required by law or application / enrollment materials.
– Be used for any purpose other than the purpose for which it was collected
• Maintaining Records Containing Social Security Numbers:
– Must be maintained ONLY by University employees required to have access to the numbers in a confidential format.
– Numbers must be redacted if released in a public format.– Records must be disposed in a secure fashion and follow the
University Record Retention Policy (7.1.55).
SOCIAL SECURITY NUMBER
![Page 28: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/28.jpg)
Specific health information is protected by federal and state law with more stringent confidentiality and disclosure requirements
•Health Insurance Portability and Accountability Act (HIPAA) for Covered Health Units•Illinois Mental Health Confidentiality Act and Developmental Disabilities Confidentiality Act•Physician and Patient Privilege•Americans with Disabilities Act (ADA)
HEALTH INFORMATION
![Page 29: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/29.jpg)
Other specific data/information is protected by additional federal and state law with more stringent confidentiality and disclosure requirements
•Personal Information Protection Act•Personnel Record Review Act•Biometric Information Privacy Act•Genetic Information Privacy Act•Library Records Confidentiality Act
OTHER PERSONAL INFORMATION
![Page 30: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/30.jpg)
• Personal Information Protection Act• Red Flags Rule• Payment Card Industry Data Security
Standards(Credit Card Transactions)
FINANCIAL DATA PROTECTIONS
![Page 31: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/31.jpg)
• FTC Rule designed to create systems to prevent, detect & respond appropriately to identity theft.
• University Identity Theft Prevention Policy 1.4 and Procedure 1.4.1
• Protects information associated with University accounts that could be used to identify a specific person such as:
– Name, Address, Phone, E-mail, Date of Birth.– Identifying Numbers: Driver’s license, Passport Number, SSN, FEIN– Account number(s)– Computer Information: IP Address, Routing Code
FINANCIAL DATA:RED FLAGS RULE
![Page 32: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/32.jpg)
• A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.
• If Red Flags are detected, please consult with your supervisor regarding appropriate steps to take to prevent identity theft.
• The University should maintain records regarding Red Flags and responses.
FINANCIAL DATA:RED FLAGS RULE
![Page 33: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/33.jpg)
PCI
![Page 34: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/34.jpg)
• What are the Payment Card Industry Standards?
• Requirements for Departments
• Where to get information?
• What to do if there is a security breach?
FINANCIAL DATA: PCIROBIN KNAPP
![Page 35: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/35.jpg)
WHAT IS PCI?
• Payment Card Industry (PCI)• Data Security Standards (DSS) set up
by Visa and MasterCard. • All credit card companies in the U.S.
have endorsed the Standard.• Created so there would be common
industry security requirements.
![Page 36: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/36.jpg)
WHY FOLLOW PCI STANDARDS?• Protect customers against fraud and
identity theft• Mandated by credit card companies –
“If you accept our credit card, you must follow these rules”
• For the University’s protection to avoid huge penalties and bad publicity
![Page 37: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/37.jpg)
TWELVE REQUIREMENTS1. Install and maintain a firewall
configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
![Page 38: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/38.jpg)
TWELVE REQUIREMENTS3. Protect stored cardholder data
4.Encrypt transmission of cardholder data across open, public networks.
5.Use and regularly update anti-virus software or programs.
6.Develop and maintain secure systems and applications.(testing, documentation, back-up)
![Page 39: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/39.jpg)
TWELVE REQUIREMENTS7. Restrict access to cardholder
data by business need-to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data
![Page 40: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/40.jpg)
TWELVE REQUIREMENTS10.Track and monitor all access to
network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors
![Page 41: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/41.jpg)
REQUIRED OF DEPARTMENTS• Pre-approval on all software
purchases with credit card capabilities• Signature forms for all new employees
(updated every year)• Yearly training (every spring)• Update Business Practices (yearly)• Let E-Commerce Committee know if
anything changes (procedures; staff)
![Page 42: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/42.jpg)
REQUIRED OF DEPARTMENTS• TouchNet Applications
– uStores– uPay – ONLY ENTER CREDIT CARD
PAYMENTS ON SECURE, DEDICATED LAPTOPS OR WORKSTATIONS PROVIDED BY ADMINISTRATIVE TECHNOLOGIES.
![Page 43: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/43.jpg)
REQUIRED OF DEPARTMENTS• Don’t store full credit card numbers,
exp. dates, PINs, or security codes.• Settle credit card machines nightly
and keep secure.• Don’t transmit credit card numbers via
e-mail or networked fax machines.• Don’t print full credit card numbers on
receipts.
![Page 44: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/44.jpg)
REQUIRED OF DEPARTMENTS• All credit card processing must be approved
by the E-Commerce Committee
– Approved 3rd party software– Credit Card machines provided by Global– TouchNet– Dedicated laptops for data entry– Only mobile device approved is the
cellular omni from Global
![Page 45: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/45.jpg)
REQUIRED OF DEPARTMENTS• Square and other card readers
that attach to systems (laptops, cell phones, iPads, etc.) NOT approved
• Payments must go through the University
![Page 46: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/46.jpg)
WHERE TO GET INFORMATION• Comptroller’s Website (A-Z, PCI)
• E-Commerce Committee– Robin Knapp– Tom Shadid– Dave Carson– Tim Flynn– Ryan Grahs– Connie Barling– Rendi Cottrell– Paul Unsbee– Adam Listek
![Page 47: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/47.jpg)
WHAT TO DO IF THERE’S A BREACH• Suspected or confirmed security breach
(credit card numbers have been compromised)
• Call the Technology Support Center: 438-4357 (HELP)
• Comptroller’s Office will work with department to determine extent of the breach
• Comptroller’s Office may need to contact Visa, Local FBI, and U.S. Secret Service
![Page 48: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/48.jpg)
FERPA IN 10MIN.
USL Training Session
![Page 49: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/49.jpg)
WHAT IS FERPA?• The Family Educational Rights & Privacy
Act of 1974 (FERPA) sets forth requirements regarding the privacy of student records.
• Under FERPA students have the right to:-Inspect & review their education records-Request to amend their education
records-Limit the disclosure of personally identifiable information (aka directory
information)
![Page 50: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/50.jpg)
WHO DOES FERPA PROTECT?
• FERPA protects the education records of any currently or formerly enrolled student regardless of their age or parental dependency status.
• FERPA does not apply to:• Individuals who have applied but have
not yet attended• Deceased students
![Page 51: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/51.jpg)
RECORDS ARE…• Education Records are records that are:
• Directly related to a student• Maintained by an educational agency or
institution or by a party acting for the agency or institution.
• Records are any information maintained in any way, including, but not limited to:
• Handwriting, Video or Audio Tape, Computer Media,Film, Print and Microfilm/Microfiche.
![Page 52: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/52.jpg)
EXCEPTIONS TO EDUCATION RECORDS
• Sole Possession Records-Those records or private notes held by a school official that aren’t accessible or related to other staff.
• Law Enforcement Records-Records created/maintained for a law enforcement purpose
• Employment Records
![Page 53: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/53.jpg)
RECORDS EXCEPTIONS CONT.
• Medical Records-Records made and maintained in the course of treatment and disclosed only to those individuals providing treatment.
• Non-Current Student Records-Records that only contain information about a student after he or she is no longer at the institution (i.e. Alumni Records).
![Page 54: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/54.jpg)
SO WHAT INFORMATION CAN WE DISCLOSE?
• As long as the student has not requested a restriction, we can release a student’s directory information without violating FERPA.
• Directory information is information that if disclosed, is not generally considered harmful or an invasion of privacy.
![Page 55: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/55.jpg)
DIRECTORY INFORMATION AT ISU
• Student’s Name• Address (local & home)• Telephone Listing (local & home)• Email Address• Date & Place of Birth• Major Field of Study• Dates of Attendance• Grade level (Fr, So, etc.)• Enrollment Status (UG, GR, full-time, part-time,
etc)• Participation in officially recognized sports and/or
activities
![Page 56: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/56.jpg)
DIRECTORY INFORMATION CONT.
• Weight & Height of Athletic Team Members• Target Graduation Date• Degrees Earned• Merit Honors and/or Awards Received• Most Recent Educational Agency or Institution
Attended
• Signed and dated written consent from the student is required to disclose information not deemed as directory in nature.
![Page 57: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/57.jpg)
WHO MAY HAVE ACCESS TO STUDENT
INFORMATION?• The student and any individual/entity who has the student’s written permission – *
• School officials (as deemed by the University) who have a legitimate educational interest
• Parents of a dependent student as defined by the Internal Revenue Code - *
• A person in response to a lawfully issued subpoena/court order (University should try to inform the student first)
• * May be able to provide external entity and parents but not required to provide
![Page 58: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/58.jpg)
WHEN IS CONSENT NOT NEEDED?
Consent is not needed for disclosure of information to:
• Release directory information• School Officials who have a legitimate
educational interest• Federal, state & local authorities involving an
audit or evaluation of compliance with educational programs
• In connection with financial aid, including Veterans’ benefits
• Organizations conducting studies for or on behalf of an educational institution
![Page 59: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/59.jpg)
WHEN IS CONSENT NOT NEEDED CONT.
• Accrediting organizations
• Parents of a dependent student
• Comply with a judicial order or subpoena
• In a health or safety emergency
• Release the results of a disciplinary hearing to an alleged victim of a violent crime
![Page 60: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/60.jpg)
POSTING GRADES
• Posting of grades and other non-directory information in a public place without written consent of the student is a violation of federal law.– Do not leave graded papers in a
hallway for students.
![Page 61: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/61.jpg)
LETTERS OF RECOMMENDATION• If non-directory record information
is used in the letter then you need the students written release.
• If you use observations or directory information and student does not have a restriction then you do not need the written release.
![Page 62: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/62.jpg)
ADDITIONAL RESOURCES
AACRAOwww.aacrao.org
US Department of Educationwww.ed.gov/policy/gen/guid/fpco/index.html
Office of the University Registrarwww.registrar.ilstu.edu
![Page 63: IT S ECURITY P OLICY AND C OMPLIANCE 07/22/2013 Connie Barling Information Security Officer Alice Maginnis Associate University Counsel Robin Knapp Comptrollers,](https://reader037.vdocuments.us/reader037/viewer/2022110209/56649e015503460f94aea4bb/html5/thumbnails/63.jpg)
QUESTIONS?