k eep i t c onfidential prepared by: security architecture collaboration team
TRANSCRIPT
Keep
It
Confidential
Prepared by: Security Architecture Collaboration Team
Data Confidentiality
• What data is considered confidential?• Data Classification– Public
• Campus maps
– Sensitive• Contractual obligation to protect• Right to Know
– Restricted• Required by law
– HIPAA– FERPA
05/15/2009 2
Data Confidentiality
• Remember the 3R’s– Roles– Rules– Responsibility
05/15/2009 3
Roles
• System Administrator/Technical• Management• Faculty• Student• Staff
05/15/2009 4
Rules
• PASSHE Policy• Employment Contract• Confidentiality Policy• Risk Assessment
05/15/2009 5
Responsibility
• Everyone
05/15/2009 6
Responsibility• Individual accountability• System Administrators and Managers
– Responsible for safeguarding confidential data– Responsible for compliance– Responsible for persons under their supervision
• Faculty– Responsible for confidential data to which they have access
• Bio/Demo data (including DOB and SSN)• Student Grades and historical data
• Students– Responsible for managing their own confidential data
• Log out of session• Do not share passwords
• Staff– Responsible for confidential data to which they have access
• Bio/Demo data (including DOB and SSN)• Student Grades and historical data• Salary Information
05/15/2009 7
User Security Awareness• Topics– Password use and management– Virus protection– Phishing/Spam– Laptop/Handheld Device– Access privileges– Data backup and storage– Incident response
05/15/2009 8
Security Breaches• Follow designated policies and procedures
05/15/2009 9
Misuse Penalties• Civil and Criminal• Conflict of Interest• Disciplinary Action
05/15/2009 10
Checklist Policies and procedures are in place Data submissions are fully protected
Data encryptionData transfer agreement
Penalties for misuse are in writing and are enforced Access to data is restricted based on University role
ElectronicData storage areas
Employees sign and understand confidentiality agreement
05/15/2009 11
Checklist
Timely threat notificationsSecurity Breaches
Affects institutions’ finances, productivity and credibility
CybercrimeHackingMalwarePhishingUSB drives
05/15/2009 12
Checklist
Training program has been developedRe-training conducted based on performance
Routine evaluations are conductedDeveloped a disaster and recovery planFirewalls are in placeRoutine virus checking, system audits and
diagnosticsData retention schedule05/15/2009 13
Checklist
Notation on all records containing identifiable data (e.g. confidentiality reminder)
Telecommuting and home officesSame level of securityAdditional safeguards
Minimal data on home computerSecurity SoftwarePassword control
Secure transport from one location to another
05/15/2009 14
ChecklistOpen-access area security
Written data not left out in the openLog out of sessions
Fax/Copy machinesSecure areaCover sheetsDe-program to recover confidential information
Established document disposal proceduresProtection of hard copy informationWritten consent to release to outside agencies
Double check before providing information
05/15/2009 15
Confidentiality Agreement
05/15/2009 16
Resources
PASSHENational Cyber Security Alliance (NCSA)
http://www.staysafeonline.org
05/15/2009 17