INFORMATION TECHNOLOGY SERVICES INFORMATION SECURITY AND PRIVACY … · 2019-03-07 · INFORMATION...

INFORMATION TECHNOLOGY SERVICES

Information Privacy Policy Training

INFORMATION SECURITY AND PRIVACY OFFICE

Brian Rue, Associate Director Info Privacy


5 REASONS WHY PRIVACY COMPLIANCE IS IMPORTANT TO FSU

1• To meet Compliance Requirements

2• To Prevent Breaches that Damage the Reputation of FSU

3• To Prevent Breaches that Cause Harm to Our Students/Faculty/Staff/Donors/Customers

4• To Maintain and Improve the Reputation/Brand Value of FSU

5• To Validate the University’s Perception as a Reliable Custodian of Customer Information


ADDITIONAL PRIVACY DRIVERS

FSU Privacy Policy

Good Business Practice

New Laws (GDPR/California Consumer Privacy Act)

Contractual Responsibilities(NIST 800-171/FISMA/ITAR/PCI-DSS)


SECURITY AND PRIVACY RELATIONSHIP


INFORMATION@FSU

o Studento Facultyo Staffo Customerso Researcho Administrativeo Physical Securityo Intellectual Property

o Donoro Student’s Parentso Financialo Budgetso Law Enforcemento Building Planso Athleticso Scholarshipso Direct Support

Organizations


WHERE IS OUR INFORMATION? o College/Dept./School/Lab/Institute/Office/Clinic Local

Information Processing Assetso NWRDCo Network Deviceso ITS VMs/Colocation/Storageo Commercial Cloud Serviceso Outsourced to Vendorso ITS Offsite Backupo Other EDUs (i.e. research datasets)o Federal Governmento BYOD (not recommended)o Geographic Locations US vs Non-USo International Campuses (Republic of Panama/UK/Spain/Italy)


Maintaining Privacy the Privacy of Protected or Private Information is

Not a One Person Job at FSU


1. Understand what informationyou process as part of your jobduties

2. Know the classification of thedata you are responsible for

3. Execute a safeguarding strategy for“Protected” or “Private information

4. Attend yearly training on privacy topics

5. Know how to recognize Unauthorized Privacy Activities

6. Be aware of the university’s Incident Response Procedures

Pledge Your Loyalty-Privacy as a Commitment (PaaC)


4-OP-H-12 INFORMATION PRIVACY POLICYESTABLISHED FEBRUARY 23, 2016

A. OBJECTIVE

Florida State University (FSU) takes seriously its obligation to respect and protect the privacy of its students, alumni, faculty and staff, and to safeguard the confidentiality of information important to FSU's mission and vision. This commitment is in accordance with legislated or contractual obligations concerning the use and control of protected or private information. As the custodian of protected and private information, FSU recognizes the importance of safeguarding information resources from loss, misuse, unauthorized access or modification.


DATA TRUSTEE

• 1) FSU’s executive structure correlates directly with the major categories of university data includes President, Provost, Vice Presidents

DATA OWNER

• 2) The head of a college/unit – dean or director- who is ultimately responsible for that college/unit’s data resources.

DATA MAGAGER

• 3) The unit employee(s) the data owner has delegated as operational oversite for the unit’s data resources. Includes associate/assistant directors and department heads

DATA CUSTODIAN

• 4) The person or team that has operational responsibility for the physical and electronic security of information. Data custodians for electronic data normally include programmers, database administrators, and system administrators.


INFORMATION OWNERSHIP-PSYCHOLOGY

o Data Trustee President/Provost/VP Research

o Data Owner

Arts and Sciences, Dean Huckaba

o Data Manager

Dept. Chair-Dr. Taylor

o Data/Information CustodiansMatt Hohmeister &

Faculty and Staff/Outsourced Vendors


INFORMATION OWNERSHIP-F&A PAYROLLo Data Trustees

President/VP Finance & Administration

o Data Owner

Sandy Scanlan, Controller

o Data Manager

Beverly Miller, Associate Controller Payroll Services

o Data/Information CustodiansITS and Local IT Professionals/Outsourced Vendors


INTER FSU INFORMATION TRANSFERS & CO-OWNERSHIP

Data Owners/Managers can Authorize the Transfer of Information to other

University Unit Data Owners/ManagersResearch Datasets

Faculty Payroll Reports

Data Cache Transfer


OUTSOURCING FSU INFOThe Data Custodian Activities can be

Outsourced by a Data Owner or Data Manager


DATA CLASSIFICATION @ FSU

ProtectedPrivate

Public


A. RESOURCESUNIT PRIVACY COORDINATOR (UPC)1) Maintaining the information identification and

classification

2) Working with Information Securty Manager to assess privacy controls are in place.

3) Ensuring unit staff are trained on this policy, and specific legislated or contracted privacy requirements.

4) Ensuring each unit staff member who handles protected or private information sign an FSU Memorandum of Understanding.

5) Work with legal resources to ensure contracts or agreements contain terms to stipulate adherence to FSU policy, legislation, or contractual safeguarding provisions for third-party vendors.


TRAINING

FSU will make available to Unit Privacy Coordinators and the university in general standardized information privacy training.


B. ACCESS AND USEAccess to FSU information classified as protected

or private requires appropriate authorization:

1) Trustee, Data Owner, or Data Manager authorizing access

2) Through info sharing agreements with vendors

3) Responding to an individuals request to see their data

4) As governed by legal and regulatory restrictions


1. Access to “Protected” information noted in position description

2. FSU Memorandum of Understanding is maintained by unit and is auditable

3. Training to handle protected/private information

4. Unit maintains rosters of training participants for audit

Confidentiality Statement and Privacy Training


Approved Transfer of Protected or Private Information

The following actions involving protected or private information must be authorized by the responsible Dean, Director, Department Head, or designee and related approval documentation maintained on file at the unit’s central office:

1) Transferring protected info to third-party vendors or service providers.

2) Any transfer of “Protected” information to portable storage, portable computing devices such as laptop computers, tablets or smartphones.

3) Allowing system and network administrators to access protected information to perform an approved action.


Third-party Access to Protected or Private Information

If FSU decides to contract a third-party for the processing of protected or private information, this must be regulated in a written agreement.


Physical Security Access RestrictionsA clean desk requirements are a university directive that specifies how employees, working with Protected/Private information, should leave their working space when not in the room or after hours.


Protected or Private Information Use in Photography and Videography

Certain photos and videos of students are “educational records” under FERPA.

Photos or videos prominently show one or a few students.

Photos or video images are part of FSU’s official functions and/or depict students in their educational or academic environment.


FERPA Picture Quiz1

2

3

4

5


Protected or Private Information Use in Social Media

Because of the powerful ability of social media to broadcast information worldwide, faculty and staff should safeguard all protected or private information – only posting what you have permission to post by law, policy or explicitly.


Use of Biometric TechnologiesUniversity units implementing biometric technologies must ensure they meet any relevant privacy and biometric laws and regulations as they may relate to the acquisition and retention of biometric information.


Online Collection of Protected and Private Information

1) Encryption of protected information communicated between a user's browser and a web-based application

2) Storage of protected or private data on publicly accessible webservers must be encrypted.

3) Link to the FSU Privacy Policy.


C. STANDARDS FOR SPECIFIC INFORMATION TYPES

Public Records

FSU faculty, staff, and contracted business partners must ensure the safekeeping of public records that have archival, administrative, or legal value.


Student Education Records

The Family Educational Rights and Privacy Act (FERPA) governs the disclosure of education records maintained by an educational institution.


Social Security Numbers

University units and their employees are only permitted to collect or store SSNs when necessary to meet a state or federal requirement or the unit has obtained written approval *

(*President, Provost, Vice President, General Counsel, Director of Information Security and Privacy, or designated approver to meet an official business process)


Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule

The HIPAA Privacy Rule provides protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information.


Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLB)

GLB applies to any information received, processed, or stored related to Student Financial Aid.


Branded Credit/Debit Card Transactions

The credit card information will be safeguarded in a confidential manner as defined in FSU 4-OP-D-2-G Payment Cards Policy and as specified in the merchant agreements as contractual obligations.


Electronic Communications / E-MailThe President, Provost, or their designee may authorize access to faculty, staff, or student instant messaging archives, voice mail, or email in a number of circumstances including, but not limited to:

1) Health or safety of people or property.

2) Violations of FSU codes of conduct, regulations, or policies.

3) Violations of state or federal laws; subpoenas and court orders.

4) Other legal responsibilities or obligations

5) Need to locate information required for FSU business purposes.

o E-mails containing information classified as protected should use encryption or password protect the document as an attachment.


Research Information

University units conducting research must be aware of appropriate privacy restrictions for information transmitted, stored, or processed as part of research projects.

HIPAA/NIST 800-171/FISMA/ITAR/EAR/Human Subjects Privacy


D. PRIVACY VIOLATIONS AND INCIDENT REPORTING

Three primary classifications of privacy violations at FSU:

1) Incidental disclosure which occurs when an unauthorized party overhears or sees protected or private information during a permitted use or disclosure in a work space.

2) Accidental disclosure occurs when privacy control weaknesses allow unauthorized access to protected or private information. Privacy control weaknesses include human error or a fault in privacy control procedures that leads to a loss of ability to limit access to protected or private information to only authorized users.

3) Intentional disclosure occurs when privacy controls are overridden to allow unauthorized access or disclosure of protected or private information. This can be done with or without malicious intent.


REPORTING REQUIREMENTS

It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed incidents to their supervisor or contract administrator including accidental incidents.


QUESTIONS

INFORMATION TECHNOLOGY SERVICES INFORMATION SECURITY AND PRIVACY … · 2019-03-07 · INFORMATION...

Documents

Transcript of INFORMATION TECHNOLOGY SERVICES INFORMATION SECURITY AND PRIVACY … · 2019-03-07 · INFORMATION...