Professional Documents
Culture Documents
By:
John L. Baines Jeff Webster Leo Howell
3/21/2012
Introduction
Information
is THE primary asset at the University Security & custody are now both strong issues Press & governance showing increased attention The University reputation is at stake
DCS & DMP
3/21/2012
Payment Card Industry - Credit card Data Security Std. data State Identity Theft law SSN , etc. Staff data
Federal Grants
DCS & DMP
Contract requirements
Research materials
3
Lab PC
3/21/2012
Ohio University
Reported in an Athens News article 06-12-2006 Hackers gained access to personal data Including SSNs of 200,000 students and alumni Multiple incidents More than $77,000 spent sending letters Blow to alumni goodwill
3/21/2012
we were adding on another university every week to look into - Michael C. Zweiback, assistant U.S. attorney
5
3/21/2012
On the Internet EVERYONE lives next door! Low-cost high-speed portable data storage
Corsair Flash Voyager 1GB USB 2.0 Flash Drive
3/21/2012
For both electronic and other media Data Classification Standard (new)
Sensitivity of data Security and privacy Consistency
3/21/2012
If it ever was!
Text A/V
Downloa d
8
Dept level
3/21/2012
University data
Identification Confidentiality and sensitivity Classification Protection Consistency
3/21/2012
E.g., a laptop with access to social security numbers operates in the Red zone
E.g., a server with only published materials may require merely Green zone protection
10
3/21/2012
11
3/21/2012
Management of any and all University data Electronic and physical copies
Develop their own more detailed procedures Establish relevancy to their own very specific data protection needs.
Current DMP outline intact About 25% of original text Shortened text length from 8 pages to 4.5 pages Deleted specific references to RMIS internal procedures Updated the list of Data Trustees, Stewards, and Custodians Made a separately maintained table for: Data Categories Data Trustees Data Stewards Data Custodians
12
3/21/2012
Data Steward
Access within his or her unit accuracy, privacy, and security
User
Responsibilites
Data Custodians
Physical data management Manage access rights
Security Admistrator
e.g. Application Security Unit Authorizes users based on Guidelines
13
3/21/2012
User Responsibilities
Store data under secure conditions Make every reasonable effort to ensure the appropriate level of data privacy is maintained Use the data only for the purpose for which access was granted Not share IDs or passwords with other persons Securely dispose of sensitive University data
14
3/21/2012
15
3/21/2012
Guidance and awareness (we will work to develop guides; for example, a checklist to help classify data) Possible specific standards for protecting data based on classification level Training program for new data stewards, data custodians, and security administrators Security awareness program for users Resources for Campus Groups
ITD security staff RMIS Information Assurance & Security area
16
3/21/2012
17
3/21/2012
Examples General
Most administrative business data was already covered by the previous DMP so Data Trustees, Data Stewards, and Data Custodians are already defined and have established processes for administrative data For other data on campus, similar processes may already be followed and you should make sure they are documented
18
3/21/2012
For users/groups that have received permission to make local copies of data, the Data Trustee and Data Steward are defined by the original data - The copiers have simply made themselves the Data Custodians for their own local copy This was the case under the previous DMP and Information Security Acknowledgement form, it has hopefully been clarified in the new draft DMP
19
3/21/2012
20
3/21/2012
Access limits because of sensitivity of the plans Preservation of original plans Defined source of the current master copy of a building plan Procedures for allowing updates to master building plans
21
3/21/2012
Examples Fundraising
During fundraising drives and other donation collection programs, a lot of potentially sensitive information may be collected about the individual donors
Name Address Bank or Credit Card numbers Other financial information
Access to this data and its safe storage and disposal are your biggest concerns
22
3/21/2012
Research Data is somewhat messy In general, you will probably end up with these roles:
Data Trustee Dean Data Steward PI Data Custodian PI, local IT, grad student
23
3/21/2012
Do Nothing Alternative
Benefits
Establishes consistency in handling sensitive data Clarifies authority, responsibility, and accountability for the security of data Delegates appropriately Simplifies audit and oversight Helps avoid embarrassing data leaks Guards against severe financial and legal penalties for compliance findings
25
3/21/2012