Presentation is loading. Please wait.

Presentation is loading. Please wait.

Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.

Published byJuliet Craig Modified over 8 years ago

Similar presentations

Presentation on theme: "Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper."— Presentation transcript:

1 Best Practices for Protecting Data

2 Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper Copies Data Destruction Data Inventory Privacy Officer De-identified data Passwords Email Workstation and File Security

3 Data Inventory Address key questions about your data with a data inventory: What systems do we have? What data do they store? What reports and exports are available? Who are the users?

4 Data Inventory Example SystemTypes of DataReporting FeaturesUsers Student Information SystemDemographics, Schedules, Grades, Attendance, etc. Ad-hoc, Pre-defined, User- defined, Exports Administrators, Teachers, Secretaries

5 Determine who is responsible for the following data and privacy issues: Leading a district security team Educating staff on regulations, best practices and policy Management and delivery of data Maintaining information on agreements and contracts Maintaining logs of users with access to PII Documenting data collection processes Acting as a contact for the public on privacy questions and concerns Privacy Officer

6 De-identify Data De-identify detail data used in analysis, projects and presentations: De-identified data - Data regarding students that uses random identifiers. NameGradeSPEDMath 3 LevelELA 3 Level Student 14NoLevel 3Level 4 Student 24NoLevel 3 Student 34NoLevel 2Level 1 Student 44YesLevel 3Level 2 Student 54NoLevel 4 Student 64NoLevel 3

7 De-identify Data Aggregated Data - Anonymized data that can not be used to identify a particular student. Reported at the school or district level. Use aggregated data where possible:

8 Indirect Identification SubgroupPercent Proficient American Indian83.4% Asian87.7% Black91.7% Hispanic81.0% Two or More Races0.00 % White79.2% Be mindful of indirect identification issues:

9 Do any of these passwords look familiar?

10 Strengthen passwords Make every new password a unique password Change passwords regularly Never write down or share passwords Disable the “Remember Password” function in browsers Change passwords immediately if compromised Use a secure password management method Passwords Employ password protection strategies:

11 Strong Passwords… Are 8 or more characters long and contain a mix of upper and lowercase letters, numbers, and symbols… …and are easy to remember: Password Strength

12 Strong Passwords… Are 8 or more characters long and contain a mix of upper and lowercase letters, numbers, and symbols… Ham&3gg$ is stronger that hamandeggs …and are easy to remember Hwd2tmnc2L! can be remembered from the passphrase He who dares to teach must never cease to learn! Password Strength

13 Weak Passwords… Are the same as your login or contain family names Contain common words Contain easily accessible information about you Contain only numbers or letters Passwords

14 Weak Passwords… Are the same as your login or contain family names Jsmith or raymond Contain common words Football Contain easily accessible information about you Mathteacher Contain only numbers or letters 123456 or abcdef Passwords

15 Email Senders No longer control information once it is sent Could choose the wrong address Receivers May forward it to others, or print a copy Sometimes leave workstations unsecured or have weak passwords Consider security and privacy issues related to everyday use of email

16 Email Do not include personal or sensitive information:

17 Workstation and File Security Lock your workstation when not in use Download and store documents with sensitive information on secure network drives - not workstations! Use only encrypted USB flash drives (if used at all) Secure workstations and files:

18 Workstation and File Security Use secure methods such as SFTP or remote desktop applications to transfer sensitive data– not email! Follow district specific policies and procedures on file storage, data transfer and cloud applications. Store physical media in a secure area Secure workstations and files:

19 Implement MCD policies, and inventory data and equipment: Mobile Computing Devices - MCDs Develop policy that addresses the protection of data on MCDs Develop breach notification policy and procedures (including actions for employees to take in the event of a breach) Inventory personal and sensitive data stored on MCD’s and update on an ongoing basis

20 Technical Procedures Perimeter Defenses LAN and WAN Management Vulnerability Assessment Data Encryption Patch and Virus Management Software and Operating System Updates Crisis Management Assess technical procedures: See District Security Self Assessment - COSN

21 Data Access and Permissions Review staff duties and roles annually Adjust permissions when job duties change Deactivate former employees accounts immediately Do not create generic accounts in systems Have processes and policies in place Review audit logs and reports Implement policy and procedure regarding user management and access that should be on a “Need to Know” basis:

22 Verbal Communication Note that conversations can be overheard Don’t share sensitive information with unauthorized people Don’t share sensitive information while socializing Remember that verbal communication issues are an important consideration:

23 Paper Copies Keep paper copies as secure as electronic data: Consider whether you really need a paper copy Remember that copier/printer/scanners store images of all documents on hard drives Be mindful of where you are printing Don’t leave paper copies sitting on printers Store paper copies in a secure area

24 Data Destruction Minimize the amount of data retained Remove data in a way that renders it unreadable (paper) or irretrievable (digital) Require third parties receiving PII under the FERPA School Official Exception to destroy it when the relationship is terminated or when no longer needed (whichever comes first) Require third parties receiving PII under other FERPA Exceptions to destroy it when no longer needed Destroy documents and files when no longer needed: See Best Practices for Data Destruction - PTAC

25 Best Practices for Protecting Data Key Ideas Self-Assessment

Download ppt "Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper."

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Maintaining Security While Using Computers What all of Our Computer Users Need to Know.

Maintaining Security While Using Computers What all of Our Computer Users Need to Know.
Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:

Information Security Awareness:
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

Similar presentations

Ads by Google