1 / 21

Sensitive Data Accessibility Financial Management

Sensitive Data Accessibility Financial Management. College of Education Michigan State University. Sensitive data. Back in 2005, the University started a campaign to make staff more aware of sensitive data concerns

akasma
Download Presentation

Sensitive Data Accessibility Financial Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sensitive DataAccessibilityFinancial Management College of Education Michigan State University

  2. Sensitive data Back in 2005, the University started a campaign to make staff more aware of sensitive data concerns PCI DSS - Payment Card Industry Data Security Standard is that if credit card numbers are stolen from our servers and we are found to be in breach of the PCI DSS standard at the time of the breach, Visa and MasterCard may EACH fine the University up to $500,000 and then revoke out ability to use their credit cards. More information: http://computing.msu.edu/msd/pcidss.html MSU’s Managing Sensitive Data site at http://computing.msu.edu/msd/ is worth a thorough read.

  3. Levels of sensitivity for data Confidential Sensitive Public

  4. Public data Not protected and generally made publically available Directories Library card catalogs Course catalogs Institutional policies

  5. Sensitive data Protected by institutional policy, guidelines, or procedures – may be public/FOI-able (freedom of information) Salary data Detailed institutional accounting and budget data Personally restricted directory data Certain personal employee attributes

  6. Confidential data Protected by law, contract, or University policy SSN payment/credit card health records student records

  7. Where to look for sensitive data Digital  Laptop computers, Desktop computers  PDAs, thumb drives  Network drives, web and file servers  Email attachments, social networking sites Paper  Sticky notes, notepads, paper files  Receipts  PAN forms and other official documents  Travel documentation

  8. Ask, “Do I absolutely need this data?” If not, get rid of it. If you do need it, minimize its exposure. As soon as you no longer need the data, delete it. Don’t leave sensitive data on computers or PDAs that are easily stolen. Make sure the computer the data is stored on is protected against viruses, worms, etc. Be careful distributing the data via email or paper forms.

  9. Identifying and reporting an incident For help determining if an exposure or intrusion occurred, contact the College Computer Support 353-8770

  10. What happens if an incident occurs? College CSG checks the computer to determine if there is sensitive data involved. Computer remains powered on but disconnected from the network. If there is sensitive data involved, College notifies DPPS at 355-2221. DPPS, the unit, and LCT will assess the incident. Systems involved may be taken for investigation. If necessary, MSU will disclose an exposure to those who might be affected

  11. Incidents at MSU Despite best efforts, exposures have happened at MSU Student PIN #s exposed during data transfers between business units SSNs may have been exposed on a server at a business unit Student SSNs, names, addresses may have been exposed on a server at an academic unit Years of credit card transactions may have been exposed on a server at a business unit Confidential employee information may have been exposed on servers at a business unit

  12. College Policy The college has been working on sensitive data management and security awareness has increased. Our data is more secure now that we have followed the policy for a few years. All college staff are required to attend sensitive data awareness seminar every three years.

  13. And in practical terms, that means? No confidential data on college servers or computers There is no reason to store SSNs on a computer, so don’t. If you need to use SSNs at all (and we know there are reasons), work with us to make sure they are handled with a minimum of risk. For credit card/payment information, use web credit service at https://www.ais.msu.edu/webcredit_info/webcredit_intro.asp If you absolutely must have SSNs, credit card numbers, or any other sensitive data on paper, destroy those papers as soon as you don’t need the data anymore. If you need to keep the data, lock the papers up, then destroy them as soon as you can. Most importantly:be awareof how you can minimize exposure.

  14. Financial Management Oversight Segregation of duties: More than one person needed to complete a record transaction. Implement mitigating controls if staffing resources do not permit desired segregation of duties. Adequate oversight: at least take samples. Pay attention to high risk areas: cash and inventories. Take periodic inventory. Monthly reconciliation of P-card statement is required.

  15. Accessibility Web accessibility means that people with disabilities can read, navigate, and contribute on the Web through the use of assistive technology like screen readers. The web accessibility initiative facilitates MSU interacting with the broadest possible audience. The web accessibility policy will start being enforced May 15, 2009.

  16. What needs to be accessible? Any content that is considered “core business” by the university must be accessible.

  17. What is “core business”? Core business is defined very broadly. It is “activities that students, employees, or visitors must access in order to effectively participate in a program, service, or activity offered by the University.” In practical terms, this means EVERYTHING (web pages, PDF documents, Word documents, etc.) except personal web sites or documents. In theory, it also includes internal documents that students never see.

  18. The University will help. LCTTP has free classes on how to make Word documents and PDFs accessible. In fact, one is offered on April 3. Details here: http://train.msu.edu/classinfo/detail.asp?course=72633

  19. If you do create web site or edit pages You need to follow the University’s guidelines, which can be found here: http://webaccess.msu.edu/policies-and-guidelines/interim-technical-guidelines.html

  20. What about my faculty members? The policy dictates that faculty are responsible for making their own course content accessible. This includes course information on Angel or any other web-based teaching methods. Faculty are aware of this and have resources to consult in approaching this task.

More Related