K eep I t C onfidential Prepared by: Security Architecture Collaboration Team
Data Confidentiality What data is considered confidential? Data Classification – Public Campus maps – Sensitive Contractual obligation to protect Right to Know – Restricted Required by law – HIPAA – FERPA 05/15/20092
Data Confidentiality Remember the 3R’s – Roles – Rules – Responsibility 05/15/20093
Roles System Administrator/Technical Management Faculty Student Staff 05/15/20094
Rules PASSHE Policy Employment Contract Confidentiality Policy Risk Assessment 05/15/20095
Responsibility Everyone 05/15/20096
Responsibility Individual accountability System Administrators and Managers – Responsible for safeguarding confidential data – Responsible for compliance – Responsible for persons under their supervision Faculty – Responsible for confidential data to which they have access Bio/Demo data (including DOB and SSN) Student Grades and historical data Students – Responsible for managing their own confidential data Log out of session Do not share passwords Staff – Responsible for confidential data to which they have access Bio/Demo data (including DOB and SSN) Student Grades and historical data Salary Information 05/15/20097
User Security Awareness Topics – Password use and management – Virus protection – Phishing/Spam – Laptop/Handheld Device – Access privileges – Data backup and storage – Incident response 05/15/20098
Security Breaches Follow designated policies and procedures 05/15/20099
Misuse Penalties Civil and Criminal Conflict of Interest Disciplinary Action 05/15/200910
Checklist Policies and procedures are in place Data submissions are fully protected Data encryption Data transfer agreement Penalties for misuse are in writing and are enforced Access to data is restricted based on University role Electronic Data storage areas Employees sign and understand confidentiality agreement 05/15/200911
Checklist Timely threat notifications Security Breaches Affects institutions’ finances, productivity and credibility Cybercrime Hacking Malware Phishing USB drives 05/15/200912
Checklist Training program has been developed Re-training conducted based on performance Routine evaluations are conducted Developed a disaster and recovery plan Firewalls are in place Routine virus checking, system audits and diagnostics Data retention schedule 05/15/200913
Checklist Notation on all records containing identifiable data (e.g. confidentiality reminder) Telecommuting and home offices Same level of security Additional safeguards Minimal data on home computer Security Software Password control Secure transport from one location to another 05/15/200914
Checklist Open-access area security Written data not left out in the open Log out of sessions Fax/Copy machines Secure area Cover sheets De-program to recover confidential information Established document disposal procedures Protection of hard copy information Written consent to release to outside agencies Double check before providing information 05/15/200915
Confidentiality Agreement 05/15/200916
Resources PASSHE National Cyber Security Alliance (NCSA) 05/15/200917