Security Awareness & Training To Address Confidential Data Handling

["H. Morrow Long" <morrow.long () YALE EDU>]

October is National Cyber Security Awareness Month!  Among the
audiences in need of ongoing security awareness are campus
administrators, faculty, and staff who handle sensitive or
confidential information entrusted to them.  Data stewards and IT
staff who manage the collection, storage, and access to sensitive or
confidential data will need additional training.

In response to the growing numbers of reports of data security
breaches at colleges and universities that exposed personal
information, the EDUCAUSE/Internet2 Security Task Force
(www.educause.edu/security) initiated a project to create a Blueprint
for Handling Confidential Data (www.educause.edu/security/
datahandling).  The Security Task Force recommends that institutions
of higher education take the following actions:

Step One:  Create a security risk-aware culture that includes an
information security risk management program
Step Two:  Define institutional data types
Step Three:  Clarify responsibilities and accountability for
safeguarding confidential/sensitive data
Step Four:  Reduce access to confidential/sensitive data not
absolutely essential to institutional processes
Step Five:  Establish and implement stricter controls for
safeguarding confidential/sensitive data
Step Six:  Provide awareness and training
Step Seven:  Verify compliance routinely with your policies and
procedures
Additionally, under the category for Awareness and Training the task
force recommends the following substeps:

6.1 Make confidential/sensitive data handlers aware of privacy and
security requirements
6.2 Require acknowledgment by data users of their responsibility for
safeguarding such data
6.3 Enhance general privacy and security awareness programs to
specifically address safeguarding confidential/sensitive data
The Security Task Force encourages you to make awareness and training
for sensitive data handling a part of your awareness efforts during
the month of October.  The task force wants to learn about the
awareness and training programs you have instituted to address this
critical need.  Please send your effective practices and solutions to
security-task-force () educause edu

P.S. Next month I (and several others including Rodney Petersen of
Educause) will present at the NDSU EduTech IT Security: A Call to
Action for the Education Community Nov. 7 and 8, at the Ramada Plaza
Suites, Fargo, N.D. ( http://itsecurity.ndsu.edu/ ) on issues related
to this topic.

- H. Morrow Long, CISSP, CISM, CEH
  University Information Security Officer
  Director -- Information Security Office
  Yale University, ITS