Virginia Tech’s Effective Practices for Managing Sensitive Data Common Solutions Group January 11,...
-
Upload
sydney-webb -
Category
Documents
-
view
214 -
download
1
Transcript of Virginia Tech’s Effective Practices for Managing Sensitive Data Common Solutions Group January 11,...
Virginia Tech’s Effective Practices for Managing Sensitive
DataCommon Solutions Group
January 11, 2008
VT EP for Managing Sensitive Data
Our needs…
• Stay out of the Press.
• Stay out of the courts.
• Preserve the integrity of the data.
• Respect the privacy of our students and employees.
VT EP for Managing Sensitive Data
Education•On-demand
Building Blocks•Acceptable Use Policy•Data Classification
Tools•SSL
Compliance•HR Disciplinary Action
Pre-2003
#1: Do what you can when you can do it.
VT EP for Managing Sensitive Data
#2. Create a framework for doing it.
VT EP for Managing Sensitive Data
#3. Garner support from the Big Sticks.
• Board of Visitors• University Legal Counsel• Internal Audit• Campus Police
VT EP for Managing Sensitive Data
Education•Awareness sessions•Faculty Dev. Institute•Communication•SANS-EDU
Building Blocks•Authority Docs•VTCA•Policies (SSN)•Standards (PII)
Tools•Find_SSN•Find_CCN•Encryption
Compliance•ITSO Security Reviews•Audit
2008
#4. Don’t think you’re done.
VT EP for Managing Sensitive Data
Security Standards for Social Security Numbers• IT Standards
– SSN on display screens, reports– Security protocol to access SSN on VT DB– Electronic Storage of SSN (encrypt it)– Electronic transmission of SSN (encrypt it)– Obtain permission to include SSN in ANY electronic
system
• Records management handles paper documents
VT EP for Managing Sensitive Data
Benefits• Lack of a complete solution has not
prevented us from implementing partial solutions.
• Everyone has a role.– Members of the IT organization and the
university have increased their involvement, interest and awareness in security through policy development, tool development and by participating in VT IT Security Task Force.
VT EP for Managing Sensitive Data
Challenges
• Pulling all the pieces together to create a comprehensive plan for securing personally identifying information (PII).
VT EP for Managing Sensitive Data
Future Plans
• Meet the challenge!
VT EP for Managing Sensitive Data
References• Virginia Tech IT-Related University Policies
http://www.policies.vt.edu/index.php#it • Security Standards for Social Security Numbers
http://computing.vt.edu/administrative_systems/banner/security%20standards_5July05.pdf
• Virginia Tech Certification Authority http://www.pki.vt.edu • Virginia Tech Information Technology Security Office
http://security.vt.edu • Virginia Tech IT Security Task Force
https://content.cc.vt.edu/confluence/display/ITS/Home • Administrative Data Management and Access Policy
http://www.policies.vt.edu/7100.pdf