Presentation is loading. Please wait.

Presentation is loading. Please wait.

What to Consider When Implementing SPG 601.33 in Your Unit Accessing or Maintaining Sensitive Institutional Data on Personally Owned Devices (SPG 601.33)

Published byMathew Bacon Modified over 9 years ago

Similar presentations

Presentation on theme: "What to Consider When Implementing SPG 601.33 in Your Unit Accessing or Maintaining Sensitive Institutional Data on Personally Owned Devices (SPG 601.33)"— Presentation transcript:

1 What to Consider When Implementing SPG 601.33 in Your Unit Accessing or Maintaining Sensitive Institutional Data on Personally Owned Devices (SPG 601.33) Last updated 6/13/14

2 Overview Why U-M needed a policy Personal devices used widely Risks of using personal devices What the policy covers SPG 601.33 overview Who is affected Units/Departments can customize implementation Discretion to decide Leadership responsibilities Online toolkit guides decisions 1. What sensitive data is used in your unit? 2. Who works with sensitive data in your unit? 3. Additional restrictions needed for your unit? Impact on individuals Responsibilities of individuals Device management expectations Network use expectations Security settings expectations Implementation support 2

3 Personal devices used widely People increasingly use their own devices (smartphones, tablets, laptops, etc.) to access and work university data and IT resources—including sensitive institutional data. It’s convenient for individuals and can be more efficient for the university. 3

4 Risks of using personal devices 3.1 million cellphones stolen in 2013 (2014). Coca-Cola: Unencrypted laptops stolen, containing names, SSNs, addresses, drivers license numbers on 74,000 people. (2014). 2.47 million new mobile malware samples collected by McAfee (2013). Horizon Blue Cross Blue Shield: Unencrypted laptops stolen, containing a mix of sensitive information on nearly 840,000 people. (2013). 12,000 laptops lost or left behind in airports every week (2012). Americans lost $30 billion worth of cellphones (2011). 4

5 SPG 601.33 Overview Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33)SPG 601.33 Recognizes the beneficial use of personally owned devices at U-M and the associated risks. Outlines individual and departmental responsibilities that appropriately balance personal privacy and institutional data security. Supports Tech Tools: Cell Phones and Portable Electronic Resources (SPG 514.04).SPG 514.04 5

6 Who is affected ●Data Stewards, who decided that units can permit individuals to use their own devices to work with the sensitive data for which they are responsible with these exceptions: credit card or Payment Card Industry (PCI) information, export controlled research, and security camera data.Data Stewards ●Unit Leadership, who need to decide whether to be more restrictive in their units regarding the use of personally owned devices that work with sensitive institutional data. ●Individuals, who may be permitted, for business reasons, to use their own devices to work with sensitive institutional data. This includes devices wholly owned by the individual or for which they receive a U-M stipend. 6

7 Discretion to decide Unit/Department leaders have the discretion to decide Whether there should be additional unit-specific expectations or restrictions for users who work with sensitive institutional data on properly secured, personally owned devices. These restrictions are in addition to the user responsibilities and expectations outlined in Security of Personally-Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33) and its supporting documentation. ? 7 Decision Needed: Will your unit be more restrictive than the expectations and responsibilities laid out in the SPG?

8 Leadership responsibilities 1.Decide whether to permit people in their department/unit to use their own devices to access or maintain sensitive institutional data in accordance with SPG 601.33. 2.If Yes, decide whether to impose additional restrictions. Example 1: Only permit people in specific roles to use their personal devices to to work with sensitive institutional data. Example 2: Require additional specific technical safeguards; require education and awareness. If No, go on to step 3 and communicate the decision. 3.Inform those in the department/unit whether they are permitted to use personally owned devices to access or maintain sensitive institutional data and whether there are additional restrictions. 4.Document the decision and any additional restrictions. 8

9 Online toolkit guides decisions http://safecomputing.umich.edu/protect-um-data/personal-devices/ This toolkit walks you through the risk-based decision-making process of implementing SPG 601.33 in your department/unit. 9

10 1. What sensitive data is used? UnitData TypeRegulated?Potential Harm General CounselAttorney/Client PrivilegedNoLow-High RegistrarStudent Educational RecordsYes - FERPALow-Medium Health SystemProtected Health InformationYes - HIPAAHigh What sensitive data does your department/unit use? Is it regulated or unregulated? How severe is the harm or the penalty if there is unauthorized disclosure? Decision tools: Sensitive Data Guide Sensitive Data Policies and Regulatory Compliance Sensitive University Data Hypothetical examples: 10

11 2. Who works with sensitive data? Hypothetical examples: Who works with sensitive data in your department/unit?* Almost all users? Only a subset? Do all users work with the same type of sensitive data? Do some work with more highly regulated sensitive data than others? *All units have some staff who work with sensitive data (for example, Human Resources data). UnitData TypeRegulated?User Base General CounselAttorney/Client PrivilegedNoAll RegistrarStudent Educational RecordsYes - FERPAAll Health SystemProtected Health InformationYes - HIPAAAll (assumed) 11

12 3. Additional restrictions needed? UnitData TypeRegulated?Potential Harm User Base Additional Restrictions General Counsel Attorney/Client Privileged NoLow-HighAllOnly attorneys are allowed to use their own devices with sensitive university data RegistrarStudent Educational Records Yes - FERPALow-MedAllNone Health SystemProtected Health Information Yes - HIPAAHighAllMust register with Mobile Device Management (MDM) service Are additional restrictions (beyond the minimum) required in your department/unit? Do regulations, level of harm, or number of users call for additional restrictions? Hypothetical examples: 12

13 Responsibilities of individuals Only work with sensitive institutional data using a personal device if permitted by their unit. Follow minimum device management and security expectations.* Return/delete sensitive institutional data on request or when role changes. Report lost, stolen, or compromised devices that access or store sensitive institutional data to security@umich.edu. Allow U-M inspection of their device on request in accordance with U-M policy: Privacy and the Need to Monitor and Access Records (SPG 601.11). Produce information as required by FOIA or legal requests. Also applies to university-owned devices that are managed by individuals, such as devices purchased with grant funding and managed by researchers. 13

14 Device management expectations Keep operating system and apps up-to-date. Only install trusted market apps, such as those in the iTunes App Store, Google Play, or the Windows Store, unless required for a job-related purpose. Do not bypass security features (called “rooting” or “jailbreaking”) unless required for your university work. Certain types of data cannot be accessed or maintained outside the U.S. (includes Export Control, HIPAA, FISMA). 14

15 Use secure networks, such as your cellular carrier network, MWireless, or wired connections.MWireless Install and use the U-M VPN if using untrusted networks, such as hotel guest wireless. (UMHS users should use the UMHS VPN.)U-M VPN UMHS VPN. Turn off optional network connections (for example, Wi Fi and Bluetooth) when not in use. Network use expectations 15

16 Security settings expectations Require a password or PIN for access to your device. Set auto lock to 15 minutes or less. Encrypt the device with built-in encryption (where possible). Turn on the remote tracking/lock/wipe capability. Secure wipe the device before selling it or giving it away. 16

17 Implementation support MiWorkspaceNeighborhood IT Service Center Non-MiWorkspaceUnit Desktop Support Service Center Web Self-help Resources Policy & Standard Policy: Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33)Policy: Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33) Data Standard: Unit-Specific Expectations for Self-Management of Personally Owned Devices that Access or Maintain Sensitive Institutional DataData Standard: Unit-Specific Expectations for Self-Management of Personally Owned Devices that Access or Maintain Sensitive Institutional Data For Individuals Your Responsibilities for Protecting University Data When Using Your Own DevicesYour Responsibilities for Protecting University Data When Using Your Own Devices Instructions for Securing Your Devices and Data For Departments/Units Toolkit: Implementing SPG 601.33 in Your Department/Unit Checklist for Implementing SPG 601.33 TipsQuickest way to get assistance for configuring devices is to call 4-HELP. Neighborhood IT can set up a walk-in session for MiWorkspace units. Departments/Units must determine the types of sensitive institutional data they work with Questions: Contact iia.inform@umich.edu

Download ppt "What to Consider When Implementing SPG 601.33 in Your Unit Accessing or Maintaining Sensitive Institutional Data on Personally Owned Devices (SPG 601.33)"

Similar presentations

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Www.sophos.com/loveyourphone Mobile device security Practical advice on how to keep your mobile device and the data on it safe.

Mobile device security Practical advice on how to keep your mobile device and the data on it safe.
Security for Mobile Devices

Security for Mobile Devices
Identify risks with mobile devices: Portable data storage Wireless connections 3 rd party applications Data integrity Data availability 2.

Identify risks with mobile devices: Portable data storage Wireless connections 3 rd party applications Data integrity Data availability 2.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Security Controls – What Works

Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Beyond WiFi: Securing Your Mobile Devices Thomas Kuhn Information Technology Assistance Center (iTAC) Kansas State University.

Beyond WiFi: Securing Your Mobile Devices Thomas Kuhn Information Technology Assistance Center (iTAC) Kansas State University.

Similar presentations

Ads by Google