Educause Security Discussion mailing list archives

Re: Sensitive Data Self-assessments

From: "Waller, Michael A. (HSC)" <Michael-Waller () OUHSC EDU>
Date: Wed, 7 Jun 2006 10:32:39 -0500

 

We're working on a lot of policies that address some of those issues.
Some of our policies are not ready to be placed in public areas yet, but
we do have some policies that have received enough approval that they
are posted to our public website: http://www.ouhsc.edu/it/policy/.
Ultimately, we are developing a risk assessment program that will rely
heavily on self-assessment processes, but not all of these are ready for
sharing at this point.

 

With regard to the VA incident, the most important policies we're
developing are not yet ready for the public website. In a nutshell,
though, we're writing policy to 'strongly encourage' users to store data
on network resources rather than their PC (we have VPN available for
connectivity). We are also working on policy to define the hoops users
must jump through if they will be transporting data on a regular basis.
In the next few weeks, we'll also be developing a telework policy. All
of these policies will be applicable to data classified as 'sensitive'
(our Data Classification policy is available at the above link).
Sensitive data, by definition, includes all data protected by HIPAA,
FERPA, GLBA, among other types of data.

 

Mike Waller   CISSP

Information Technology, Information Security Services

The University of Oklahoma Health Sciences Center

From: C. Lazarus [mailto:CLazarus () BUSINESS BUFFALO EDU] 
Sent: Wednesday, June 07, 2006 9:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Sensitive Data Self-assessments

 

Well - interesting morning - I just returned from an ad-hoc meeting with
Student Affairs.  They were asked by their VP if what is happening with
the VA data could happen to them.  And the answer is -maybe.  So, they
want to protect their information, but they need to find out what's out
there, and do awareness training.  They would really like a risk
assessment, self-assessment type instrument that would supply them with
the information they want to collect, and also be a tool to educate
their users.  Anybody's organization have anything they would be willing
to share?  They want to see others because while I think we covered most
data (SSN, Bank Accounts, FERPA, Police, Grades, Drivers License,
Student Health) they want to make sure they haven't missed something
important. 

 

Thanks for any help.

 

Carolann G. Lazarus, CISA 
IS Auditor - Internal Audit 
University at Buffalo 
645-5000 x1243 
clazarus () business buffalo edu

Current thread:

Sensitive Data Self-assessments C. Lazarus (Jun 07)
- <Possible follow-ups>
- Re: Sensitive Data Self-assessments Waller, Michael A. (HSC) (Jun 07)
- Re: Sensitive Data Self-assessments Cheek, Leigh (Jun 08)
- Re: Sensitive Data Self-assessments Marc Scarborough (Jun 08)