Research Support Council (RSC) - What Data is Sensitive and How
|
|
- Lizbeth Quinn
- 8 years ago
- Views:
Transcription
1 Research Support Council (RSC) - What Data is Sensitive and How Do We Keep it Private? John L. Baines, AD IT Policy & Compliance Tuesday, May 14, :00 am 9:30 am Witherspoon Student Center John_Baines@ncsu.edu
2 Agenda worry? is sensitive data? to protect it? 5/14/2013 What data is sensitive and How to keep it private Slide 2
3 Privacy & security very public concerns Identity theft Personal safety University image and reputation Financial penalties can be high Much legislation Public concern Internet access to data 5/14/2013 What data is sensitive and How to keep it private Slide 3
4 Identity theft SSN Personal privacy Credit card numbers and bank accounts Personal safety e.g. stalking Confidentiality Personal use Student data - FERPA 5/14/2013 What data is sensitive and How to keep it private Slide 4
5 Two research case studies UNC-CH Medical School SSN breach Los Alamos Protect as Restricted Data 5/14/2013 What data is sensitive and How to keep it private Slide 5
6 UNC-CH SSN breach at Medical School Senior researcher UNC-CH medical school Carolina Mammography Registry, a 15-year project Kept research subjects database referenced by Social Security number (SSN) 114,000 subjects Also name, address and other personal information Most participants unaware Exploit Discovered in 2009, server infiltrated two years earlier. Not clear if any data exported Consequences Notified all 180,000 exposed Cost $250,000 Centralized IT security Loss of public trust and university reputation 5/14/2013 What data is sensitive and How to keep it private Slide 6
7 Sensitive But Unclassified (SBU) New category of Government data Affects Defense research contracts (and other Government data) Previously no classified data to protect Now SBU must be protected No such thing as unprotected in Defense research contracts? 5/14/2013 What data is sensitive and How to keep it private Slide 7
8 Protect as Restricted Data (PARD) DoE sensitive but unclassified data Dr. Wen Ho Lee's program code at Los Alamos National Laboratory Backed up to tape Government labeled as 'espionage' Felony charge - 'withholding' info related to the 'national defense' 5/14/2013 What data is sensitive and How to keep it private Slide 8
9 FERPA Considerations FERPA data is pervasive Do we need to protect the security of Education Records and Student Privacy? Absolutely Can we afford to protect them at the same level as social security numbers and credit card data? No Too expensive Access too difficult 5/14/2013 What data is sensitive and How to keep it private Slide 9
10 Air gapped systems In networks, air gap is a type of security where the network is secured by keeping it separate from other local networks and the Internet. While this provides security, it also limits access to the network by clients. 5/14/2013 What data is sensitive and How to keep it private Slide 10
11 licensed under a Creative Commons License. 10/29/2012 Exploring the Good and Evil in the Internet Cloud Slide 11
12 Last Truly Air-gapped System 5/14/2013 What data is sensitive and How to keep it private Slide 12
13 Sensitive data factors at NC State Legislation University revenues and expenses University image and reputation Confidentiality agreements / contracts Research Copyright and Intellectual Property Attorney/client privilege, police records Personal privacy 5/14/2013 What data is sensitive and How to keep it private Slide 13
14 Legislation Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Gramm Leach Bliley Act (GLBA) Payment Card Industry (PCI) Data Security Standard (DSS) Red Flag Rule (FTC) North Carolina Identity Theft Protection Act of 2005 North Carolina Public Records Act North Carolina State Personnel Act 5/14/2013 What data is sensitive and How to keep it private Slide 14
15 Some sensitive data examples: Personally Identifiable Information (PII) Credit card information (PCI) Health data (HIPAA PHI & EHR) Research data (e.g. contractual & pre-patent) Public safety information Financial donor information Security controls such as: System access passwords and other credentials Information file encryption keys Information security records 5/14/2013 What data is sensitive and How to keep it private Slide 15
16 A framework for the availability and security of your data. 1. Data Management Procedures Regulation updates, including revised Data Classification Statement, 2. Data Sensitivity Framework table 3. List of IT controls for data stewards and application developers/sponsors 4. Data Stewards and Custodians List 5/14/2013 What data is sensitive and How to keep it private Slide 16
17 1. Data Classification Statement A. Ultra Very few data elements - SSN, credit card number, passwords B. High Large body personal privacy, financial, intellectual property, medical, research, private contributors, attorney/client privilege, police C. Moderate Simpler controls - Mostly FERPA D. Normal Not sensitive e.g. university Web pages, published articles E. Unclassified (Black) publically available data 5/14/2013 What data is sensitive and How to keep it private Slide 17
18 Data Classification Statement Matrix Classification Risk Criteria Level Risk Regulation Financial Reputation Business Other Ultra Two of Multiple Extreme Serious Serious Litigation High Two of Violation Significant Serious Serious Moderate One of Violation Some Some Adverse Normal No major Unclassified None Access control Publically available 5/14/2013 What data is sensitive and How to keep it private Slide 18
19 2. Data sensitivity framework table Lists all sensitive data elements (e..g. personal name, ssn, credit card #) Cross references Data elements to Legislation and Other concerns Provides default sensitivity for each data element Labels sensitivity level of data in context Authoritative list of university sensitive data 5/14/2013 What data is sensitive and How to keep it private Slide 19
20 3. Controls for Securing University Data Primary Audience for this document: Individuals making decisions about data classification & protection (management & technical) Document includes cross-reference table to connect controls to data Document not intended for End-users Seek approval or instruction from the respective Data Custodian / Data Steward 5/14/2013 What data is sensitive and How to keep it private Slide 20
21 Types of controls 1. Control Principles for Data Stewards and Application Sponsors 2. Administrative and procedural design controls 3. Technical controls computer server 4. Technical controls end-user devices 5/14/2013 What data is sensitive and How to keep it private Slide 21
22 More about controls Only really applies to sensitive information: Purple, red and yellow data Not green and unclassified data Cross-reference after each control: Control Data sensitivity levels Mandatory, Recommended, Optional, [Unnecessary] 5/14/2013 What data is sensitive and How to keep it private Slide 22
23 Where is it OK to store your data? Location Sensitive Not sensitive Most to least V Purple Red Yellow Green White University server Cloud service Encrypted Restricted Encrypted Restricted Yes Yes Yes Yes Restricted Restricted Yes NCSU Google Drive Encrypted Encrypted Yes Yes Yes File Only File Only Print Restricted Restricted Restricted Yes Yes Removable storage Never Encrypted Yes Yes Yes Yes Local PC Never Encrypted Yes Yes Yes Never Encrypted Some Yes Yes Mobile device Never No Yes Yes Yes Google Docs Never No Yes Yes Yes 5/14/2013 What data is sensitive and How to keep it private Slide 23
24 Next Steps with DSF Presentations to campus for Security Awareness Work with Campus IT Directors Develop documents specific to needs Best practices to apply to their use of the data Define, implement and test campus encryption solutions 5/14/2013 What data is sensitive and How to keep it private Slide 24
25 Encryption alternatives Full disk File level Database data element Backups Network drives 5/14/2013 What data is sensitive and How to keep it private Slide 25
26 Who s protecting your data & how? On your mobile device you are Removable storage you are On your desktop you and your sys admin On University servers - OIT or college/ dept IT staff (and/or you!) In the cloud the vendor (and you ) 5/14/2013 What data is sensitive and How to keep it private Slide 26
27 Google and sensitive information Best Practices for Data Security in Google NC State Google Drive and encrypted file sync Google contractually defined as a university FERPA official at NCSU Google docs OK for FERPA data may be more of a FERPA issue when transmitted outside Google 5/14/2013 What data is sensitive and How to keep it private Slide 27
28 Types & examples of cloud services File synchronization and distribution - Google Drive can save & sync files Services providing file manipulation Google Docs (and other Google Apps) Other more complex Cloud services (SaaS, Paas, IaaS) need investigation on a case by case basis 5/14/2013 What data is sensitive and How to keep it private Slide 28
29 Precautions with cloud vendors From CSA/ISACA study either Less than 100 staff or Many thousands Be careful if you have sensitive data Look at Cloud Security Alliance STAR IT Security staff can assess security of product and data being considered 5/14/2013 What data is sensitive and How to keep it private Slide 29
30 Questions 5/14/2013 What data is sensitive and How to keep it private Slide 30
Institutional Data Governance Policy
Institutional Data Governance Policy Policy Statement Institutional Data is a strategic asset of the University. As such, it is important that it be managed according to sound data governance procedures.
More informationVulnerability Management Policy
Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully
More informationInformation Security Guideline: Cloud Computing Services. Information Security and Privacy Committee Draft version 8/1/2012
Information Security Guideline: Cloud Computing Services Information Security and Privacy Committee Draft version 8/1/2012 Table of Contents Introduction... 1 Purpose... 2 Scope... 2 Risks and Concerns
More informationPOLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.
POLICIES Campus Data Security Policy Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central Policy Statement Policy In the course of its operations, Minot State University
More informationCyber, Security and Privacy Questionnaire
Cyber, Security and Privacy Questionnaire www.fbinsure.com Please note: This is an electronic application. When completed please save and email to: Ed McGuire emcguire@fbinsure.com Cyber, Security & Privacy
More informationInformation Security Policy and Handbook Overview. ITSS Information Security June 2015
Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information
More informationCSR Breach Reporting Service Frequently Asked Questions
CSR Breach Reporting Service Frequently Asked Questions Quick and Complete Reporting is Critical after Data Loss Why do businesses need this service? If organizations don t have this service, what could
More informationMIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)
MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...
More informationPractical Storage Security With Key Management. Russ Fellows, Evaluator Group
Practical Storage Security With Key Management Russ Fellows, Evaluator Group SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies
More informationPII Personally Identifiable Information Training and Fraud Prevention
PII Personally Identifiable Information Training and Fraud Prevention Topics What is Personally Identifiable Information (PII)? Why are we committed to protecting PII? What laws govern us? How do we comply?
More informationGramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007
Gramm Leach Bliley Act 15 U.S.C. 6801-6809 6809 GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007 1 Objectives for GLBA Training GLBA Overview Safeguards Rule
More informationInformation Security Policy
Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems
More informationINFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security
INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security State Fair Community College shall provide a central administrative system for use in data collection and extraction. Any system user
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationRowan University Data Governance Policy
Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data
More informationITS Policy Library. 11.06 - Device Encryption. Information Technologies & Services
ITS Policy Library 11.06 - Device Encryption Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: July 15, 2008 Last Updated: November 21, 2014 POLICY
More informationInformation Security Policy
Information Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationGeorgia Institute of Technology Data Protection Safeguards Version: 2.0
Data Protection Safeguards Page 1 Georgia Institute of Technology Data Protection Safeguards Version: 2.0 Purpose: The purpose of the Data Protection Safeguards is to provide guidelines for the appropriate
More informationData Protection, Privacy and the Law. Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC
Presented for Data Privacy Month 2013 Presented by Tim Gurganus, OIT And Clifton Williams, OGC Payment Card Industry Data Security Standard (PCI-DSS) Protection of card holder data processed, stored or
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationWho Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5
Information Security Policy Type: Administrative Responsible Office: Office of Technology Services Initial Policy Approved: 09/30/2009 Current Revision Approved: 08/10/2015 Policy Statement and Purpose
More informationP02.07.066. Mobile Device Security.
P02.07.066. Mobile Device Security. A. University employees and students using a laptop computer or mobile device (e.g. portable hard drives, USB flash drives, smartphones, tablets) are responsible for
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationWhitepaper. Identifying, Classifying, and Protecting Personally Identifiable Information in Google Drive (Docs) Introduction.
Whitepaper Identifying, Classifying, and Protecting Personally Identifiable Information in Google Drive (Docs) The Enterprise Guide To Securing Sensitive Data In Google Drive At a Glance Intended Audience:
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More information[Company Name] HIPAA Security Awareness and Workforce Training Program Manual
[Company Name] HIPAA Security Awareness and Workforce Training Program Manual The Importance of Security Awareness Training 4 Data Security Breaches 5 What is Information Security? 6 Roles and Responsibilities
More informationVirginia Commonwealth University Information Security Standard
Virginia Commonwealth University Information Security Standard Title: Scope: Data Classification Standard This document provides the classification requirements for all data generated, processed, stored,
More information08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview
Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data
More informationManagement and Storage of Sensitive Information UH Information Security Team (InfoSec)
Management and Storage of Sensitive Information UH Information Security Team (InfoSec) Who Are We? UH Information Security Team Jodi Ito - Information Security Officer Deanna Pasternak & Taylor Summers
More informationIdentity Theft Security and Compliance: Issues for Business
Identity Theft Security and Compliance: Issues for Business The Facts Six Common Uses for Stolen Information Financial Criminal Medical DMV Social Security Terrorist The Facts A Chronology of Data Breaches
More informationINFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using
More informationInformation Security Plan May 24, 2011
Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised
More informationInformation Security Policy
Information Security Policy Introduction The purpose of the is policy is to protect Rider University information resources from accidental or intentional unauthorized access, modification, or damage and
More informationUTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL
UTAH STATE UNIVERSITY POLICIES AND PROCEDURES MANUAL Title: Credit Card Handling and Acceptance Policy Policy Number: C3875 Effective Date: November 8, 2006 Issuing Authority: Office of VP Business and
More informationInformation Technology: This Year s Hot Issue - Cloud Computing
Information Technology: This Year s Hot Issue - Cloud Computing Presented by: Alan Sutin Global IP & Technology Practice Group GREENBERG TRAURIG, LLP ATTORNEYS AT LAW WWW.GTLAW.COM 2011. All rights reserved.
More informationUniversity of Alaska. Cloud Computing Guidelines
University of Alaska Cloud Computing Guidelines Guidelines for the Use of 3 rd Party or Cloud Computing Services at the University of Alaska Why is this important to me? If you manage a service and plan
More informationCloud Computing Policy 1.0 INTRODUCTION 2.0 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Policy Effective Date: July 28, 2015 1.0 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationPrivacy Best Practices
Privacy Best Practices Mount Royal University Electronic Collection/Storage/Transmission of Personal (Google Drive/Forms/Docs) Google Suite: Document, Presentation, Spreadsheet, Form, Drawing Overview
More informationNew Employee Orientation
New Employee Orientation Security Awareness August 7, 2007 Chuck Curry, Assistant Vice Chancellor for Information Security John Gale, Security Consultant Scott Robards, Security Consultant Our goal is
More informationTOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.
TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE Touro adopts this identity theft policy to help protect employees, students, contractors and
More informationBest Practices for DLP Implementation in Healthcare Organizations
Best Practices for DLP Implementation in Healthcare Organizations Healthcare organizations should follow 4 key stages when deploying data loss prevention solutions: 1) Understand Regulations and Technology
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationØ Externally Hosted Computing Services Appropriate Use Guidelines Ø Matrix for Appropriate Use
Ø Externally Hosted Cputing Services Ø Matrix for Appropriate Use 3/31/2015 1 Externally Hosted Cputing Services This overview is intended to provide information for faculty, staff and students about the
More informationNetwork Detective. HIPAA Compliance Module. 2015 RapidFire Tools, Inc. All rights reserved V20150201
Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201 Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment...
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationIT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationBalancing Security Investment Against Today's Threat Environment
Balancing Security Investment Against Today's Threat Environment Niel Pandya Data Security, Senior Manager, Oracle ASEAN The following is intended to outline our general product direction.
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationCloud Services Overview
Cloud Services Overview John Hankins Global Offering Executive Ricoh Production Print Solutions May 23, 2012 Cloud Services Agenda Definitions Types of Clouds The Role of Virtualization Cloud Architecture
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationElectronic Communication In Your Practice. How To Use Email & Mobile Devices While Maintaining Compliance & Security
Electronic Communication In Your Practice How To Use Email & Mobile Devices While Maintaining Compliance & Security Agenda 1 HIPAA and Electronic Communication 2 3 4 Using Email In Your Practice Mobile
More informationThe benefits you need... from the name you know and trust
The benefits you need... Privacy and Security Best at Practices the price you can afford... Guide from the name you know and trust The Independence Blue Cross (IBC) Privacy and Security Best Practices
More informationSecurity & Cloud Services IAN KAYNE
Security & Cloud Services IAN KAYNE CloudComponents CLOUD SERVICES Dynamically scalable infrastructure, services and software based on broad network accessibility NETWORK ACCESS INTERNAL ESTATE CloudComponents
More informationProtecting MIT Data. State Laws & Regulations. T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia
Protecting MIT Data T. McGovern, M. Yeaton, M. Halsall, S. Burke, B. DiMattia State Laws & Regulations General Laws, Chapter 93H: Massachusetts Data Breach Law, outlines when to notify (2007) 201 CMR 17.00:
More informationEXECUTIVE BRIEF SPON. File Synchronization and Sharing Market Forecast, 2012-2017. Published May 2013. An Osterman Research Executive Brief
EXECUTIVE BRIEF N Sharing Market Forecast, sponsored by An Osterman Research Executive Brief Published May 2013 SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationCongregation Identity Theft Education Program
Congregation Identity Theft Education Program Definition - PII Personal Identity Information (PII) is defined as any data that can be used by a third party to steal an individual s or entity s identity
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationMobile World. Chris Winter SafeNet Inc.
Securing PRESENTATION File Data TITLE in GOES a Distributed HERE or Mobile World Chris Winter SafeNet Inc. SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA unless otherwise
More informationInformation Security Education and Awareness Training
Information Technology Information Security Education and Awareness Training Standard Identifier: IT-STND-002 Revision Date: 8/1/2015 Effective Date: 3/1/2015 Approved by: BOR CIO Approved on date: 10/17/2014
More informationDeveloping a Data Governance System
UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE Developing a Data Governance System Custom Research Brief October 22, 2010 RESEARCH ASSOCIATE Jeff Durkin TABLE OF CONTENTS I. Research Methodology II. Executive
More informationDSU Identity Theft Prevention Policy No. DSU 802.7.001
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 IDENTITY THEFT PREVENTION DSU Policy No. 802.7.001 SOURCE: Fair and Accurate
More informationSUMMARY OF POSITION ROLE/RESPONSIBILITIES:
SUMMARY OF POSITION ROLE/RESPONSIBILITIES: Reporting to the Senior Vice President for Administration, this position is responsible for ensuring that the University of Florida, in its entirety, is compliant
More informationCloud Data Security and the Insider Threat
Cloud Data Security and the Insider Threat Sol Cates CSO @solcates scates@vormetric.com Copyright 2014 Vormetric, Inc. All rights reserved. A bit about me InfoSec for ~ 18 years Currently have 4 jobs Infrastructure
More informationVirginia Government Finance Officers Association Spring Conference May 28, 2014. Cloud Security 101
Virginia Government Finance Officers Association Spring Conference May 28, 2014 Cloud Security 101 Presenters: John Montoro, RealTime Accounting Solutions Ted Brown, Network Alliance Presenters John Montoro
More informationI ve been breached! Now what?
I ve been breached! Now what? THE AFTERMATH OF A BREACH & STEPS TO REDUCE RISK The number of data breaches in the United States in 2014 hit a record high. And 2015 is not looking any better. There have
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationImpact of Legal and Regulatory Compliance on Higher Education Information Security Management. Dan Han Virginia Commonwealth University
Impact of Legal and Regulatory Compliance on Higher Education Information Security Management Dan Han Virginia Commonwealth University A little about me Worked in IT for close to 15 years, with 12 years
More informationPolicy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:
Policy No: TITLE: AP-AA-17.2 Data Classification and Data Security ADMINISTERED BY: Office of Vice President for Academic Affairs PURPOSE EFFECTIVE DATE: CANCELLATION: REVIEW DATE: August 8, 2005 Fall
More informationWhite Paper. Managing Risk to Sensitive Data with SecureSphere
Managing Risk to Sensitive Data with SecureSphere White Paper Sensitive information is typically scattered across heterogeneous systems throughout various physical locations around the globe. The rate
More informationWhy is Data Security Important?
Why is Data Security Important? 1 Ward Against Identity Theft Identity theft occurs when somebody steals your name and other personal information* for fraudulent purposes. They can use this information
More informationImplementing Privacy Compliant Hybrid Cloud Solutions
Implementing Privacy Compliant Hybrid Cloud Solutions SESSION ID: DSP-T07A Peter J Reid Privacy Officer, Enterprise Business Hewlett-Packard Company Historical IT Outsourcing Perspective Cloud Web 2.0
More informationHIPAA Privacy and Information Security Management Briefing
HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)
More informationData Security Standard (DSS) Compliance. SIFMA June 13, 2012
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance SIFMA June 13, 2012 EisnerAmper Consulting Services Group Overview of EisnerAmper Fifth fhlargest accounting firm in the Metro New York
More informationADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security
ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF Susan Blair Chief Privacy Officer Cheryl Granto Information Security Manager, UFIT Information Security RULES OF THE ROAD Information Highway Danger Zones
More informationSecuring Data in the Cloud
Securing Data in the Cloud Meeting the Challenges of Data Encryption and Key Management for Business-Critical Applications 1 Contents Protecting Data in the Cloud: Executive Summary.....................................................
More informationData, Data Everywhere - What Are You Doing to Protect Yourself?
Data, Data Everywhere - What Are You Doing to Protect Yourself? How to protect yourself from personal data theft May 29-30, 2013 Presentation Overview What data should you be worried about protecting?
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationInternet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler
Internet Gaming: The New Face of Cyber Liability Presented by John M. Link, CPCU Cottingham & Butler 1 Presenter John M. Link, Vice President jlink@cottinghambutler.com 2 What s at Risk? $300 billion in
More informationefolder White Paper: HIPAA Compliance
efolder White Paper: HIPAA Compliance October 2014 Copyright 2014, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
More informationCybercrime: Protecting Your Digital Assets in Today's Threat Landscape
Cybercrime: Protecting Your Digital Assets in Today's Threat Landscape Presented by Rachel Ratcliff OM03 Saturday, 10/5/2013 9:30 AM - 10:45 AM Cybercrime: Protecting Your Digital Assets in Today s Threat
More informationPII = Personally Identifiable Information
PII = Personally Identifiable Information EMU is committed to protecting the privacy of personally identifiable information of its students, faculty, staff, and other individuals associated with the University.
More informationIs it Time to Trust the Cloud? Unpacking the Notorious Nine
Is it Time to Trust the Cloud? Unpacking the Notorious Nine Jonathan C. Trull, CISO, Qualys Cloud Security Alliance Agenda Cloud Security Model Background on the Notorious Nine Unpacking the Notorious
More informationUCF Security Incident Response Plan High Level
UCF Security Incident Response Plan High Level Chris Vakhordjian Information Security Officer Computer Services & Telecommunications Division of IT&R Revision 1.1, 7 June 2007 Information Security Office
More informationVirtualization Impact on Compliance and Audit
2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance
More informationInformation Resources Security Guidelines
Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive
More informationThe Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP
The Challenges of Applying HIPAA to the Cloud Adam Greene, Partner Davis Wright Tremaine LLP AGENDA Key Concepts Under HIPAA HIPAA Obligations for a BA Questions Remain Reaching Answers Resources KEY CONCEPTS
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationHealthcare Data in the Cloud A Gathering Storm of Governance. Erik Pupo Senior Manager, Deloitte
Healthcare Data in the Cloud A Gathering Storm of Governance Erik Pupo Senior Manager, Deloitte Objectives for this Webinar Explain what the healthcare cloud really means Highlight emerging challenges
More informationDevice Hardening, Vulnerability Remediation and Mitigation for Security Compliance
Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies
More informationSecurely Outsourcing to the Cloud: Five Key Questions to Ask
WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE
More informationUniversity of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary
University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary This Summary was prepared March 2009 by Ian Huggins prior to HSC adoption of the most recent
More information