K eep I t C onfidential Prepared by: Security Architecture Collaboration Team

Data Confidentiality What data is considered confidential? Data Classification – Public Campus maps – Sensitive Contractual obligation to protect Right to Know – Restricted Required by law – HIPAA – FERPA 05/15/20092

Data Confidentiality Remember the 3R’s – Roles – Rules – Responsibility 05/15/20093

Roles System Administrator/Technical Management Faculty Student Staff 05/15/20094

Rules PASSHE Policy Employment Contract Confidentiality Policy Risk Assessment 05/15/20095

Responsibility Everyone 05/15/20096

Responsibility Individual accountability System Administrators and Managers – Responsible for safeguarding confidential data – Responsible for compliance – Responsible for persons under their supervision Faculty – Responsible for confidential data to which they have access Bio/Demo data (including DOB and SSN) Student Grades and historical data Students – Responsible for managing their own confidential data Log out of session Do not share passwords Staff – Responsible for confidential data to which they have access Bio/Demo data (including DOB and SSN) Student Grades and historical data Salary Information 05/15/20097

User Security Awareness Topics – Password use and management – Virus protection – Phishing/Spam – Laptop/Handheld Device – Access privileges – Data backup and storage – Incident response 05/15/20098

Security Breaches Follow designated policies and procedures 05/15/20099

Misuse Penalties Civil and Criminal Conflict of Interest Disciplinary Action 05/15/200910

Checklist Policies and procedures are in place Data submissions are fully protected Data encryption Data transfer agreement Penalties for misuse are in writing and are enforced Access to data is restricted based on University role Electronic Data storage areas Employees sign and understand confidentiality agreement 05/15/200911

Checklist Timely threat notifications Security Breaches Affects institutions’ finances, productivity and credibility Cybercrime Hacking Malware Phishing USB drives 05/15/200912

Checklist Training program has been developed Re-training conducted based on performance Routine evaluations are conducted Developed a disaster and recovery plan Firewalls are in place Routine virus checking, system audits and diagnostics Data retention schedule 05/15/200913

Checklist Notation on all records containing identifiable data (e.g. confidentiality reminder) Telecommuting and home offices Same level of security Additional safeguards Minimal data on home computer Security Software Password control Secure transport from one location to another 05/15/200914

Checklist Open-access area security Written data not left out in the open Log out of sessions Fax/Copy machines Secure area Cover sheets De-program to recover confidential information Established document disposal procedures Protection of hard copy information Written consent to release to outside agencies Double check before providing information 05/15/200915

Confidentiality Agreement 05/15/200916

Resources PASSHE National Cyber Security Alliance (NCSA) 05/15/200917