Educause Security Discussion mailing list archives
Re: FTC and Red Flag Rule...our policy
From: Chris Kidd <chris.kidd () UTAH EDU>
Date: Fri, 10 Oct 2008 11:32:44 -0600
Our approach has been to develop a simple policy: Detection, Prevention, Mitigation, and Reporting of Identity Theft 1. The Information Security and Privacy Office will develop, routinely update, and distribute guidance which outlines methods of detecting "Red Flags" - actual risks for identity theft. 2. Departments shall review the guidance and apply procedures to assist in detecting "Red Flags." 3. If identity theft is suspected, the department will notify and seek advice from the Information Security and Privacy Office within 1 business day. 4. The Information Security and Privacy Office shall periodically update the overall program, and departments should update policies and procedures relevant to their operations, to reflect changes in risk, based on the published guidance. 5. The University of Utah Chief Information Officer and UUHC Chief Information Officer will provide oversight for this program, after written approval from the Board of Directors has been obtained. The core of the program are the guidelines (attached). Our office maintains the guidelines, and assists, when necessary, with implementation. Chris Kidd Chief Compliance and University Information Security and Privacy Officer The University of Utah 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.585.7483 Fax: 801.587.9443 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin (mclaugkl) Sent: Wednesday, October 08, 2008 3:38 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FTC and Red Flag Rule Hi Anand: We are affected, or at least that is what my treasurer, GC and myself believe based on our research into this. I am currently going through the final set of red flag rules and trying to prepare a high level executive summary of what I think this means. Of the 328 pages I have been able to drop it down to 120 and am hoping to get that to a document under 10 pages that is basically a "this is what you should be doing" doc. If interested in getting a copy of that document (probably be early next week before I am finished with it) just let me know. -Kevin Kevin L. McLaughlin CISM, CISSP, GIAC-GSLC,PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) 513-558-ISEC (department) CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand Malwade Sent: Wednesday, October 08, 2008 3:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] FTC and Red Flag Rule Hi, Does anyone know if Educational Institutions are affected by the FTC's Red flag rule about maintaining an Identity Theft program ? If yes has anyone implemented or has a roadmap for deployment? In my opinion if the rule is indeed applicable, the Institution's Legal Counsel should drive the initiative and not IT. Any suggestions are welcome. http://www.dciginc.com/2008/08/ftc-issues-red-flag-rules-reminder-ensuri ng-i.html <http://www.dciginc.com/2008/08/ftc-issues-red-flag-rules-reminder-ensur ing-i.html> http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm <http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm> Thanks, Anand Anand Malwade, CISSP,CISM,CISA. Information Security Officer, Seton Hall University, malwadan () shu edu
Attachment:
Identity Theft Guidance_3.doc
Description: Identity Theft Guidance_3.doc
Current thread:
- Re: FTC and Red Flag Rule...our policy Chris Kidd (Oct 10)