Keep

It

Confidential

Prepared by: Security Architecture Collaboration Team

Data Confidentiality

• What data is considered confidential?• Data Classification– Public

• Campus maps

– Sensitive• Contractual obligation to protect• Right to Know

– Restricted• Required by law

– HIPAA– FERPA

05/15/2009 2

Data Confidentiality

• Remember the 3R’s– Roles– Rules– Responsibility

05/15/2009 3

Roles

• System Administrator/Technical• Management• Faculty• Student• Staff

05/15/2009 4

Rules

• PASSHE Policy• Employment Contract• Confidentiality Policy• Risk Assessment

05/15/2009 5

Responsibility

• Everyone

05/15/2009 6

Responsibility• Individual accountability• System Administrators and Managers

– Responsible for safeguarding confidential data– Responsible for compliance– Responsible for persons under their supervision

• Faculty– Responsible for confidential data to which they have access

• Bio/Demo data (including DOB and SSN)• Student Grades and historical data

• Students– Responsible for managing their own confidential data

• Log out of session• Do not share passwords

• Staff– Responsible for confidential data to which they have access

• Bio/Demo data (including DOB and SSN)• Student Grades and historical data• Salary Information

05/15/2009 7

User Security Awareness• Topics– Password use and management– Virus protection– Phishing/Spam– Laptop/Handheld Device– Access privileges– Data backup and storage– Incident response

05/15/2009 8

Security Breaches• Follow designated policies and procedures

05/15/2009 9

Misuse Penalties• Civil and Criminal• Conflict of Interest• Disciplinary Action

05/15/2009 10

Checklist Policies and procedures are in place Data submissions are fully protected

Data encryptionData transfer agreement

Penalties for misuse are in writing and are enforced Access to data is restricted based on University role

ElectronicData storage areas

Employees sign and understand confidentiality agreement

05/15/2009 11

Checklist

Timely threat notificationsSecurity Breaches

Affects institutions’ finances, productivity and credibility

CybercrimeHackingMalwarePhishingUSB drives

05/15/2009 12

Checklist

Training program has been developedRe-training conducted based on performance

Routine evaluations are conductedDeveloped a disaster and recovery planFirewalls are in placeRoutine virus checking, system audits and

diagnosticsData retention schedule05/15/2009 13

Checklist

Notation on all records containing identifiable data (e.g. confidentiality reminder)

Telecommuting and home officesSame level of securityAdditional safeguards

Minimal data on home computerSecurity SoftwarePassword control

Secure transport from one location to another

05/15/2009 14

ChecklistOpen-access area security

Written data not left out in the openLog out of sessions

Fax/Copy machinesSecure areaCover sheetsDe-program to recover confidential information

Established document disposal proceduresProtection of hard copy informationWritten consent to release to outside agencies

Double check before providing information

05/15/2009 15

Confidentiality Agreement

05/15/2009 16

Resources

PASSHENational Cyber Security Alliance (NCSA)

http://www.staysafeonline.org

05/15/2009 17