Educause Security Discussion mailing list archives
Security Awareness & Training To Address Confidential Data Handling
From: "H. Morrow Long" <morrow.long () YALE EDU>
Date: Mon, 15 Oct 2007 15:10:16 -0400
October is National Cyber Security Awareness Month! Among the audiences in need of ongoing security awareness are campus administrators, faculty, and staff who handle sensitive or confidential information entrusted to them. Data stewards and IT staff who manage the collection, storage, and access to sensitive or confidential data will need additional training. In response to the growing numbers of reports of data security breaches at colleges and universities that exposed personal information, the EDUCAUSE/Internet2 Security Task Force (www.educause.edu/security) initiated a project to create a Blueprint for Handling Confidential Data (www.educause.edu/security/ datahandling). The Security Task Force recommends that institutions of higher education take the following actions: Step One: Create a security risk-aware culture that includes an information security risk management program Step Two: Define institutional data types Step Three: Clarify responsibilities and accountability for safeguarding confidential/sensitive data Step Four: Reduce access to confidential/sensitive data not absolutely essential to institutional processes Step Five: Establish and implement stricter controls for safeguarding confidential/sensitive data Step Six: Provide awareness and training Step Seven: Verify compliance routinely with your policies and procedures Additionally, under the category for Awareness and Training the task force recommends the following substeps: 6.1 Make confidential/sensitive data handlers aware of privacy and security requirements 6.2 Require acknowledgment by data users of their responsibility for safeguarding such data 6.3 Enhance general privacy and security awareness programs to specifically address safeguarding confidential/sensitive data The Security Task Force encourages you to make awareness and training for sensitive data handling a part of your awareness efforts during the month of October. The task force wants to learn about the awareness and training programs you have instituted to address this critical need. Please send your effective practices and solutions to security-task-force () educause edu P.S. Next month I (and several others including Rodney Petersen of Educause) will present at the NDSU EduTech IT Security: A Call to Action for the Education Community Nov. 7 and 8, at the Ramada Plaza Suites, Fargo, N.D. ( http://itsecurity.ndsu.edu/ ) on issues related to this topic. - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS
Current thread:
- Security Awareness & Training To Address Confidential Data Handling H. Morrow Long (Oct 15)