Maintaining your Data Security

Transcription

1 Maintaining your Data Security Prevention and Emergency Response Shanna Van Beek Elon University

2

3 [C]learly the most important component of data security sits between the chair and the keyboard. Yep, the carbon based life form has the ability to render ineffective even the best computer security deployed by the technology department. Likewise, a person can often detect a security issues that technology does not recognize - if they are cautious and aware. Certified Information System Security Professional (CISSP), major financial institution

4 Areas for maintaining data security 1. Understand Laws and Best Practice 2. Build Login/Logout Protocol 3. Audit Permissions 4. Limit Access by Audience 5. Respond in an Emergency

5 1. Understand Laws & Best Practice FERPA - Family Educational Rights and Privacy Act (1974) HIPAA - Health Insurance Portability and Accountability Act (1996) FACTA - Fair and Accurate Credit Transactions Act (2010)

6 FERPA FAQ:

7 Why do I have to abide by FERPA?... directly related to a student and that are maintained by an educational agency...

8 What can I share internally?... in order to fulfill his or her professional responsibility.

9 What about phone calls?... use reasonable methods to identify and authenticate the identity...

10 What about parents? If a student is claimed as a dependent by either parent for tax purposes, then either parent may have access under this provision.

11 What about in an emergency?... if the knowledge of that information is necessary to protect the health or safety...

12 What is Directory Information?... not generally be considered harmful or an invasion of privacy if disclosed.

13 Directory Information Directory information is determined by institution At Elon: enrollment status, graduation year, honors, student athlete, address, phone number Public schools and private schools have different obligations - check with FERPA officer

14 Directory Information Withheld Pull this through SIS Query Watch for applicant parameter Assign application tag

15 Best Practice If you send three or more pieces of personal identifiable information (PII), it must be protected or encrypted. Send over protected server (internal). Add a password, delivered by phone (Syncplicity). Purpose, not privilege.

16 2. Build Login/Logout Protocol Work with your IT - what s your authentication system? Login ONLY when necessary Close/quit browser on logout Logout to copy/paste hyperlinks

17 Intuitive Login Wizard Use the Text Interface to customize your login wizard.

18 3. Audit Permissions Audit staff, student staff, and outside admin permissions annually - following release of new version Invite your CIO, Compliance Officer, or Registrar to participate Adjust at the group and individual level Think purpose, not privilege

19 4. Limit Access by Audience Internal Colleagues Student Workers Institution Administration Faculty Partners Faculty Student Body Parents, Family Program Partners Outside Institutions Int l Ed Community

20 Internal Colleagues Access by purpose, not privilege Data/Business Manager - full access for reporting Super User - full access for maintenance Directors - depends on reporting role Advisors - restrict financial, ethnicity, race

21 Student Workers Same access as Office of Registrar student staff, with signed waiver Restrict Personal Information Form questionnaire (HIPAA) Restrict financial fields, ethnicity, race

22 Institution Administration Reports filtered through Business & Data Manager Provide only what is requested Send via internal server (encrypted)

23 Faculty Partners Reports filtered through Program Advisors Provide only for faculty s roster Only academic/need-to-know information Restrict financial, ethnicity, race Send via internal server (encrypted) or encrypted, password-protected flash drive

24 Faculty We do not interpret Study Abroad/Study USA experience as directory information Research purposes - percentages NOT for advertising e.g. Who was in Italy last semester that I can contact about my Italian language course?

25 Student Body Return Evaluation: Can we share your information? - if YES, then student s name can be provided to future students. Student projects - study abroad/study USA data provided as percentages (no PII info)

26 Parents, Family Student staff transfers call to professional staff Provide general program information NOT tied to student Follow-up - copy student If pressed for PII, fall back to Office of Registrar Explain in terms of student safety e.g. stalker follows student abroad

27 Program Partners FERPA - legitimate educational interest Provide required information through encrypted, password-protected channels, e. g. Syncplicity Never provide file and password via same channel

28 Outside Institutions, Int l Ed Community Filtered through Business and Data Manager Provide data in percentages - rarely a need for names or PII

29 5. Respond in an Emergency 1. Isolate the vulnerability 2. Notify TDS, CIO 3. Document your actions 4. Ask TDS for forensics 5. Consider additional forensics 6. Resolve and Report 7. Modify source of vulnerability

30 Knowledgbase Articles Payment Gateway Integration Shibboleth SCL Integration