It s Not Just FERPA. Privacy and Security Issues in Higher Education. Alisa Chestler Washington, D.C. Eric Setterlund, CIPP/US Chattanooga, Tennessee

Similar documents
John R. Robles CISA, CISM, CRISC

Town of Warner, New Hampshire Information Security Policy

Security of Information Technology Resources

ITD Information Security October 19, 2015

UNIVERSITY OF MIAMI POLICY AND PROCEDURE MANUAL

Software Usage Policy Template

NCTA-Certified Cloud Technologist (NCT) Exam NCT-110

Employee ID Conversion Workshop. Florida Department of Financial Services Division of Accounting & Auditing

OATS Registration and User Entitlement Guide

Disaster Recovery. Practical Applications. Eric LaFollette. Director of Information Resources Lake County Clerk of Courts

Succeed in ISO/IEC Audit Checks. Bob Cordisco Systems Engineer

General Data Protection Regulation (GDPR) for CEO s Quick overview & impact

Privacy Policy. Information We Collect. Information You Choose to Give Us. Information We Get When You Use Our Services

CCNA 1 Chapter v5.1 Answers 100%

Department of Computer Information Systems KEMU

ANNUAL COMPUTER SECURITY REFRESHER TRAINING

CCNA 1 Chapter 1 v5.03 Exam Answers 2016

MHS BYOD Policy MUDGEE HIGH SCHOOL STUDENT BRING YOUR OWN DEVICE (BYOD) POLICY

Privacy Policy concerning the use of the website and the use of cookies

EU General Data Protection Regulation

PRIVACY AND E-COMMERCE POLICY STATEMENT

UNSW Technology Policy:

Patch Management Policy

Welcome to Manage Risk to Your Organization with Effective Data Security

E-Lock Policy Manager White Paper

CertNexus Cyber Secure Coder (CSC) Exam CSC-110

OmniPCX Record PCI Compliance 2.3

Point-to-Point Encryption (P2PE)

IHIS Research Access Request Guidelines


OBSERVATIONS FROM CYBERSECURITY EXAMINATIONS

FUNDAMENTALS OF INFORMATION SYSTEMS AUDIT

Custod. July 30, 20100

IT Essentials (ITE v6.0) Chapter 8 Exam Answers 100% 2016

Click Sign In button. Click Register Employer. Click Forgot Username and/or Password to Create a unique user ID and password.

e-bridge The future of connected care

Frequently Asked Questions

Forcepoint UEBA Management of Personal Data

SIEM Use Cases 45 use cases for Security Monitoring

Access the site directly by navigating to in your web browser.

and File Folder # - This is the state assigned file folder # for licensed teachers. This is used in MCCC reporting and STAR reporting.

A Purchaser s Guide to CondoCerts

CLIENT. Corporation. Hosting Services. August 24, Marc Gray Flywire Technology CLIENT. 104 West Candler St Winder, GA

INFORMATION TECHNOLOGY SERVICES NIST COMPLIANCE AT FSU - CONTROLLED UNCLASSIFIED INFORMATION

Web Application Security Version 13.0 Training Course

Enrolling onto the Open Banking Directory How To Guide

HPE LoadRunner Best Practices Series. LoadRunner Upgrade Best Practices

ANNUAL COMPUTER SECURITY REFRESHER TRAINING

TDR and Trend Micro. Integration Guide

Imagine for MSDNAA Student SetUp Instructions

Troubleshooting of network problems is find and solve with the help of hardware and software is called troubleshooting tools.

IT Security & New Regulatory Requirements May 29, 2014

Cyber Security Supply Chain Risk Management Plans

ITIL and ISO20000 Pick One or Use Both? Track: Business Services

IS315T IS Risk Management and Intrusion Detection [Onsite]

Privacy Policy. We may collect information about you in a variety of ways. The information we collect on the Site includes:

Adverse Action Letters

Employee Self Service (ESS) FAQs

Rule 30(b)(6) Deposition Question Topics

Introduction to Mindjet on-premise

Chapter 10: Information System Controls for System Reliability Part 3: Processing Integrity and Availability

Update: Users are updated when their information changes (examples: Job Title or Department). o

Internet/Intranet Publishing Guidelines

Connect+/SendPro P Series Networking Technical Specification

Managing User Accounts

APPLICATION FORM. CISAS opening hours: 9:00am to 5:00pm, Monday to Friday

Cyber Security for Accounting and Auditing Professionals

How to use DCI Contract Alerts

HP ExpertOne. HP2-T21: Administering HP Server Solutions. Table of Contents

Backup your Data files before you begin your cleanup! Delete General Ledger Account History. Page 1

Delete General Ledger Account History

For students to participate in BYOD please follow these two steps

Students will have opportunities available throughout the year to have their devices registered.

September 24, Release Notes

Q-CERT Incident Reporting Guidelines

Online Image Viewing Agent User Guide. Texas FAIR Plan Association 1

Building a Strategic Plan for Your Security Awareness Program

ComplyWorks Subscription User Guide. October 6, 2011

RISKMAN REFERENCE GUIDE TO USER MANAGEMENT (Non-Network Logins)

High Security SaaS Concept Software as a Service (SaaS) for Life Science

Texas A&M Veterinary Medical Diagnostic Laboratory Procedures V0.01 Information Resource Procedures

Password Management Guidelines

Privacy Policy Toyota Du Maroc is Committed to Respecting Your Privacy

/Dy. Security Overview

RSA CONFERENCE Call for Speakers Offline Submission Form

Customer Upgrade Checklist

Comprehensive LAN Security for the Banking Financial Services and Insurance Industries

BANNER BASICS. What is Banner? Banner Environment. My Banner. Pages. What is it? What form do you use? Steps to create a personal menu

SMART Room System for Microsoft Lync. Software configuration guide

Yes. If you are an iphone user, you can download a free application via the App Store in itunes. Download the BSP iphone app.

E. G. S. Pillay Engineering College, Nagapattinam Computer Science and Engineering

Using the Swiftpage Connect List Manager

Class Roster. Curriculum Class Roster Step-By-Step Procedure

Getting Started with DocuSign

CyCop FAQ For Internal Use Only. CyCop Frequently Asked Questions

MAGNET identity management proposal for Personal Networks. Dimitris M. Kyriazanos

SUB-USER ADMINISTRATION HELP GUIDE

Background Check Procedures for Sponsors

Student participation Students can register online, track progress, express interest and demonstrate proficiency.

RICOH IMAGING COMPANY, LTD. wishes to announce the release of Firmware Update Software Version

Transcription:

It s Nt Just FERPA Privacy and Security Issues in Higher Educatin Alisa Chestler Washingtn, D.C. Eric Setterlund, CIPP/US Chattanga, Tennessee

Tday s Tpics Our wrld What kind f infrmatin are we cncerned abut? What is privacy and infrmatin security? What is a data breach? What laws impact higher educatin institutins? What shuld yu d? 2

Our Wrld 2013 Baker, Dnelsn, Bearman, Caldwell & Berkwitz, PC 2 3

Sensitive Infrmatin is What We Are Cncerned Abut Educatinal Recrds Emplyee health infrmatin (fr grup health plans) Emplyment files Accunting and financial reprting infrmatin Cmpany trade secrets (prducts, custmers, business strategies, etc.) Legal files: litigatin, patent, M&A, etc. Netwrk user IDs and passwrds Student financial infrmatin Credit card infrmatin/accunt infrmatin 4

What is Privacy and Infrmatin Security, Anyway? Tw sides f the same cin ensuring cnfidentiality f infrmatin Privacy is the bjective, security is means 5

Applicable Regulatry Regimes Family Educatinal Rights and Privacy Act (FERPA) Health Insurance Prtability and Accuntability Act (HIPAA) Payment Card Industry Data Security Standards (PCI-DSS) Family and Medical Leave Act Americans with Disabilities Act 42 C.F.R. Part 2 Privacy Act FCRA/FACTA Genetic Infrmatin Nndiscriminatin Act CAN-SPAM Library Patrns Acts? Applicable destructin laws? 6

Can t frget abut state laws.... 47 states with laws. 7

A Case Study A student is a victim f sexual assault n campus. She is unsatisfied with the university s respnse and decides t sue the university. Shuld the university access the student s psychtherapy recrds frm the student health center? 8

Legal Implicatins Title IX FERPA r HIPAA? Treatment Recrds/Educatinal Recrds http://www2.ed.gv/plicy/gen/guid/fpc/dc/ferpa-hipaaguidance.pdf http://www.hhs.gv/cr/privacy/hipaa/faq/ferpa_and_hipaa/51 8.html Any applicable state laws limiting disclsure f psychtherapy recrds? 9

Legal Implicatins (cntinued) What s in yur ntice f privacy practices? 10

Surveillance 11

What is a Data Breach? A data breach is the unauthrized disclsure r the unauthrized use f infrmatin. 12

The Culprit? 13

EMPLOYEES! 14

Risk Management Cnsideratins: Data Breach High cst f data breach respnse (ptentially astrnmical) frensic cnsultant breach ntificatin call center credit mnitring legal fees PR csts gvernment investigatin csts civil mnetary penalties and fines regulatry fines Reputatinal harm public relatins fiasc Abut $200 per persn per incident 15

Off-Campus Infrmatin Emplyees Remving Infrmatin frm Campus Laptps, iphnes and ipads at hme r sitting arund in airprts, htels, bars and unccupied cars Frgtten thumb drives in sck drawers Persnal email and persnal clud strage accunts (e.g., DrpBx) All f the abve fr frmer emplyees wh didn t return r destry the infrmatin Third Parties Hlding r Accessing Infrmatin under Cntract Physical files stred ffsite Service vendrs Virtual data rms IT cnsultants Sftware-as-a-service (SaaS) vendrs Other * Discarded cmputers Cpiers returned after lease expired * hpefully wiped f data 16

Hw shuld yu address the issue? 17

Essential Elements f Any Cmpliance Prgram Designated respnsible persn/cmmittee (accuntability) Plicies and prcedures (dcumented expectatins) Training and awareness (understanding f expectatins) Open cmmunicatin (channels t reprt cmpliance cncerns) Mnitring (mechanisms t discver nn-cmpliance) Enfrcement (sanctins fr nn-cmpliance) Respnse plan (prcedures t address effects f nn-cmpliance) 18

Sme f the Required Plicies and Prcedures Privacy Dcumented plicies and prcedures Frmal training and security awareness prgram Sanctins fr nn-cmpliance Permitted and prhibited uses and disclsures Minimum necessary use Security Security management prgram Peridic security risk analyses Rle-based access Physical security prtcls Technical security prtcls 19

Fundamentals f Security Risk Management ASSESSMENT and CONTROL 20

Optins fr Dealing with Security Risks Three ptins fr addressing any given risk: Mitigate it implement cntrls t reduce likelihd and/r impact f the threat (i.e., abate the vulnerability) Transfer it put the risk ff t an insurer r cntract party Accept it if likelihd and impact f threat are limited, r if cst t mitigate r transfer is t high Can nly address risks that have been IDENTIFIED and ASSESSED 21

The Risk Assessment Cannt cntrl a risk that is nt identified We can always lck dwn infrmatin s tightly that n ne can use it, but we cannt implement apprpriate cntrls withut understanding the risk t be cntrlled Security risk analysis: Fcus attentin and resurces (i.e., cntrls) n threats representing the GREATEST TOTAL RISK 22

The Risk Assessment Prcess Set Yur Bundary Vulnerabilities Expected Lss Threats Vulnerabilities Expected Lss RISK Implement Apprpriate Cntrls 23

Risk Mitigatin Strategies Internal Cntrls PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS ADMINISTRATIVE SAFEGUARDS 24

Risk Mitigatin Strategies Internal Cntrls Physical safeguards Examples f threats: external envirnment (lightning, trnad, fld, rits, pwer utage) internal envirnment (water leaks, fire, excessive heat r humidity) human threats - intentinal (theft, vandalism, espinage) - inadvertent (lss, accidental erasure, unintended change) Examples f cntrls: lcks n drs, file cabinets, etc. ID badges and visitr escrts physical intrusin detectin systems redundant pwer and HVAC systems fire suppressin systems back-ups 25

Risk Mitigatin Strategies Internal Cntrls Technical safeguards Examples f threats: access by unauthrized persns inability t discern imprper access r transmissin unauthrized r unintended changes t r deletin f infrmatin data crruptin Examples f cntrls: strng passwrds firewalls access and activity lgs anti-virus sftware netwrk intrusin detectin systems encryptin, encryptin, encryptin Encryptin (fr data at rest and in transit) cures many ills 26

Risk Mitigatin Strategies Internal Cntrls Administrative safeguards Examples f threats: inadvertent disclsure r lss f infrmatin imprper use f infrmatin unknwn unknwns Examples f cntrls: apprpriate plicies and prcedures are the fundatin key principles f least privilege, minimum necessary, and fail securely security awareness prgram (training, re-training and reminders) mnitring fr vilatins and sanctining vilatrs regularly perfrmed security risk analyses Largely the dmain f the legal/cmpliance functin rather than IT 27

Risk Mitigatin Strategies fr Service Prviders Due diligence what institutins shuld d befre handing ver client inf Questins t ask: Designated privacy and security fficer(s)? When designated? Frmal, written privacy and security plicies and prcedures? Security risk assessment? Perfrmed by qualified third party? When? Any use f dwnstream hsting vendrs r data centers? Any security-related audits r certificatins? Same questin fr any dwnstream service prvider. Ever experienced a data breach invlving persnal infrmatin f individuals? Maintain cyber-liability insurance? What cverage(s)? Examine privacy and security plicies and prcedures Talk with privacy and security fficer(s) 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback