Confidential/Sensitive Data Handling Blueprint Now Available

[Shirley Payne <payne () VIRGINIA EDU>]

We write to announce availability of a new security toolkit that brings
together in one place resources pertaining to confidential/sensitive
data handling, and to solicit your help to enhance this tool. Version
1.0 of the "Confidential/Sensitive Data Handling Blueprint" is posted at
https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint.

As you know, the EDUCAUSE/Internet2 Security Task Force has been working
hard these past several years to improve computer and network security
across higher education. Several useful resources
(www.educause.edu/security) have been developed and there have been a
number of other task force accomplishments since the group was formed in
2000. Nonetheless, the risks to information security at colleges and
universities continue to persist and necessitate that individuals at all
levels of the institution become engaged to prevent further data
breaches from occurring.

To help institutions direct this effort, a Security Task Force work
group has developed a blueprint that recommends the key strategies that
follow for stopping the leakage of confidential/sensitive data.

o Create a security risk-aware culture that includes an information
security risk management program.
o Classify information assets according to their importance and the
corresponding need to protect them against unauthorized access and use.
o Clarify roles and responsibilities and hold individuals accountable
for safeguarding data.
o Reduce access to sensitive data that is not essential to university
processes.
o Implement stricter controls (policies, processes, and technologies)
for safeguarding data.
o Raise awareness and provide training to the community.
o Verify compliance routinely with your policies and procedures.

Sub-steps for each strategy are identified in the blueprint and
field-proven, effective practices are being linked to each sub-step. As
mentioned above, Version 1.0 of the blueprint is posted at
https://wiki.internet2.edu/confluence/display/secguide/Confidential+Data+Handling+Blueprint.
On behalf of the group, we solicit your suggestions for additional
practices to reference. Please email those to Valerie Vogel at
vvogel () educause edu. The blueprint will be updated periodically, so be
sure to revisit the web page often!

Also, we want to take this opportunity to share a list of upcoming
seminars on protecting sensitive data, where this blueprint will be the
primary focus:

January 25 - Los Angeles, CA
1-day seminar hosted by UCLA
Presented by Morrow Long & Krizi Trivisani
http://www.educause.edu/esem071

March 19 - Worcester, MA
NERCOMP pre-conference seminar
Presented by Morrow Long & David Escalante
http://www.educause.edu/nc07

April 10 - Denver, CO
Security Professionals Conference pre-conference seminar
http://www.educause.edu/sec07

May 2 - East Lansing, MI
1-day seminar hosted by Michigan State University (program info will be
available online soon…)

July 30 - Washington, DC
Campus Technology Conference
Presented by David Escalante (program info will be available soon...)

There will also be a 1-day seminar in the southeast in June. The
date/location will be announced soon.

Best regards,

Confidential Data Handling Group Co-Chairs
Shirley Payne (University of Virginia)
Krizi Trivisani (The George Washington University)