1. K eep I t C onfidential Prepared by: Security Architecture Collaboration Team

2. Data Confidentiality What data is considered confidential? Data Classification – Public Campus maps – Sensitive Contractual obligation to protect Right to Know – Restricted Required by law – HIPAA – FERPA 05/15/20092

3. Data Confidentiality Remember the 3R’s – Roles – Rules – Responsibility 05/15/20093

4. Roles System Administrator/Technical Management Faculty Student Staff 05/15/20094

5. Rules PASSHE Policy Employment Contract Confidentiality Policy Risk Assessment 05/15/20095

6. Responsibility Everyone 05/15/20096

7. Responsibility Individual accountability System Administrators and Managers – Responsible for safeguarding confidential data – Responsible for compliance – Responsible for persons under their supervision Faculty – Responsible for confidential data to which they have access Bio/Demo data (including DOB and SSN) Student Grades and historical data Students – Responsible for managing their own confidential data Log out of session Do not share passwords Staff – Responsible for confidential data to which they have access Bio/Demo data (including DOB and SSN) Student Grades and historical data Salary Information 05/15/20097

8. User Security Awareness Topics – Password use and management – Virus protection – Phishing/Spam – Laptop/Handheld Device – Access privileges – Data backup and storage – Incident response 05/15/20098

9. Security Breaches Follow designated policies and procedures 05/15/20099

10. Misuse Penalties Civil and Criminal Conflict of Interest Disciplinary Action 05/15/200910

11. Checklist Policies and procedures are in place Data submissions are fully protected Data encryption Data transfer agreement Penalties for misuse are in writing and are enforced Access to data is restricted based on University role Electronic Data storage areas Employees sign and understand confidentiality agreement 05/15/200911

12. Checklist Timely threat notifications Security Breaches Affects institutions’ finances, productivity and credibility Cybercrime Hacking Malware Phishing USB drives 05/15/200912

13. Checklist Training program has been developed Re-training conducted based on performance Routine evaluations are conducted Developed a disaster and recovery plan Firewalls are in place Routine virus checking, system audits and diagnostics Data retention schedule 05/15/200913

14. Checklist Notation on all records containing identifiable data (e.g. confidentiality reminder) Telecommuting and home offices Same level of security Additional safeguards Minimal data on home computer Security Software Password control Secure transport from one location to another 05/15/200914

15. Checklist Open-access area security Written data not left out in the open Log out of sessions Fax/Copy machines Secure area Cover sheets De-program to recover confidential information Established document disposal procedures Protection of hard copy information Written consent to release to outside agencies Double check before providing information 05/15/200915

16. Confidentiality Agreement 05/15/200916

17. Resources PASSHE National Cyber Security Alliance (NCSA) http://www.staysafeonline.org 05/15/200917