Information Security: Roles, Responsibilities, and Data Classification. Technology Services 1/4/2013



Similar documents
Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

Information Security Program

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Information Security Policy

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

UIT Security is responsible for developing security best practices, promoting security awareness, coordinating security issues, and conducting

California State University, Sacramento INFORMATION SECURITY PROGRAM

College of DuPage Information Technology. Information Security Plan

Marist College. Information Security Policy

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Virginia Commonwealth University School of Medicine Information Security Standard

Wellesley College Written Information Security Program

Western Oregon University Information Security Manual v1.6

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Contact: Henry Torres, (870)

How To Protect Data At Northeast Alabama Community College

Southern Law Center Law Center Policy #IT0004. Title: Policy

HIPAA Compliance Annual Mandatory Education

IT Governance Committee Review and Recommendation

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

BERKELEY COLLEGE DATA SECURITY POLICY

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Managing Information Stanford

HIPAA Compliance Guide

Information Security Policy

ELECTRONIC INFORMATION SECURITY A.R.

Information Systems Security Policy

THE UNIVERSITY OF NORTH CAROLINA AT GREENSBORO IDENTITY THEFT PREVENTION PROGRAM

Data Management Policies. Sage ERP Online

Information Security Program Management Standard

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

P Mobile Device Security.

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

SELF-LEARNING MODULE (SLM) 2012 HIPAA Education Privacy Basics and Intermediate Modules

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Responsible Use of Technology and Information Resources

Technical Panel of Nebraska - 30-Day Comments Period

Information Resources Security Guidelines

Information Security Policy

IDENTITY MANAGEMENT AND COMMON SYSTEM ACCESS HUMBOLDT STATE UNIVERSITY. Audit Report December 21, 2012

Village of Hastings-on-Hudson Electronic Policy. Internal and External Policies and Procedures

PCI Data Security and Classification Standards Summary

Bates Technical College. Information Technology Acceptable Use Policy

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

R345, Information Technology Resource Security 1

COUNCIL POLICY NO. C-13

Earth-Life Science Institute Tokyo Institute of Technology. Operating Guidelines for Information Security

How To Ensure Health Information Is Protected

REGENTS POLICY PART V FINANCE AND BUSINESS MANAGEMENT Chapter Business Practices

Responsible Access and Use of Information Technology Resources and Services Policy

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Virginia Commonwealth University Information Security Standard

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

INFORMATION SECURITY California Maritime Academy

PII Personally Identifiable Information Training and Fraud Prevention

HIPAA Security Alert

Vulnerability Management Policy

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Information Security Operational Procedures Banner Student Information System Security Policy

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

UCF Security Incident Response Plan High Level

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

DCC student and employee information must be safeguarded.

Specific observations and recommendations that were discussed with campus management are presented in detail below.

SENSITIVE DATA SECURITY AND PROTECTION CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report January 3, 2012

Management Standards for Information Security Measures for the Central Government Computer Systems

CHAPTER 1 COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

TERMINAL CONTROL MEASURES

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Working Practices for Protecting Electronic Information

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Ferris State University

HIPAA Compliance Guide

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION ELECTRONIC MAIL AND BULK ELECTRONIC DISTRIBUTION

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

ITS Policy Library Device Encryption. Information Technologies & Services

Information Security Operational Procedures

Information Technology Security Standards and Protocols. Coast Community College District

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

CHIS, Inc. Privacy General Guidelines

Acceptable Use of Information Technology

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Information Technology Acceptable Use Policy

Information Circular

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

Computer Security Incident Reporting and Response Policy

The Importance of Organizing Your SJSU Information Assets

Information Security Classification

E-Tendering Requirements for MDB Financed Procurement November 2009

E-Tendering Requirements for MDB Financed Procurement October 2005

Transcription:

Information Security: Roles, Responsibilities, and Data Classification Technology Services 1/4/2013

Roles, Responsibilities, and Data Classification The purpose of this session is to: Establish that all individuals are accountable for their use of LIT information. Identify information Owners, Custodians, and User roles to clearly distinguish the parties responsible and accountable for that LIT information. 2

Roles, Responsibilities, and Data Classification (Cont.) Establish that information that is sensitive or confidential must be protected from unauthorized access or modification. Establish that security awareness of employees must be continually emphasized and reinforced at all levels of management. 3

General Guidelines Information resources residing at LIT are strategic and vital assets that belong to the people of Texas. All individuals are accountable for their use of LIT information resources. Information that is Sensitive or Confidential must be protected from unauthorized access or modification. 4

Information Owners LIT delegates specific ownership responsibilities to those with day-to-day oversight of information assets. For example, individual departments are owners of the information located in the departmental file shares in the LIT data center. Owners have been designated for data assets based upon the general subject matter of the data. For example, Human Resources is the owner of staff and faculty employee information. 5

Information Custodians Custodians provide information asset services to both owners and users. A custodian may be a person, a team, or a department such as Technology Services. A custodian could be a third party provider of information resources. (i.e. website or application hosting provider) 6

Information Custodians (Cont.) Regardless of how the role is filled, custodians are expected to: Assist the owner(s) in identifying cost-effective controls along with monitoring techniques and procedures for detecting and reporting control failures or violations Implement the controls and monitoring techniques and procedures specified by the owner(s) Provide and monitor the viability of physical and procedural safeguards for the information resources 7

Information Users Users of information resources shall use those resources for defined purposes that are consistent with their institutional responsibilities. Users are expected to comply with LIT published security policies and procedures, as well as with security bulletins and alerts in response to specific risks or threats. The use of LIT information resources implies that the user has knowledge of and agrees to comply with LIT policies governing such use. 8

Data Classification Owners of LIT information assets shall classify the information as public, sensitive, or confidential, according to its need for confidentiality. The information s owner should ensure that disclosure controls and procedures are implemented and followed to afford the degree of protection required by the assigned classification. 9

Data Classification (Cont.) Information shall be assigned one of the following 3 classifications: Public - Advertising and Marketing Literature Sensitive - Employee Records, Voicemail, and Memos Confidential - Credit Card Information and Social Security Numbers 10

Data Classification (Cont.) Public Information Public information is by its very nature designed to be shared broadly, without restriction, at the complete discretion of the owner. Examples of public information include: advertising and marketing literature, degree program descriptions, course offerings and schedules, campus maps, job postings, press releases, descriptions of LIT products and services, and certain types of unrestricted directory information. 11

Data Classification (Cont.) Sensitive Information Sensitive information can be both public and confidential. Sensitive information may be deemed public if subject to provisions of the Texas Public Information Act. Examples of sensitive information include: some employee records, departmental policies and procedures that may reveal protected information, the contents of e-mail, voicemail, and memos, information covered by non-disclosure agreements, and donor information. 12

Data Classification (Cont.) Confidential Information Confidential information is information that is exempt from disclosure requirements under the provisions of applicable state or federal law. Examples of confidential information include: student education records as defined under FERPA, credit card and financial account information, social security numbers, driver license numbers, personally identifiable medical records, crime victim information, and access control credentials (e.g., PINs and passwords). 13

Additional Information Sensitive or confidential information must not be transmitted in unencrypted form. Either the information itself must be encrypted prior to transmission or an encrypted connection must be established and maintained for the duration of the transmission. Owners, custodians and users must immediately report suspected information resources security incidents to Technology Services Help Desk at (409) 839-2074, or email to helpdesk@lit.edu. 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information