1 / 29

SIGUCCS Implementing an Information Privacy and Security Team April 1, 2009

SIGUCCS Implementing an Information Privacy and Security Team April 1, 2009. Mike Leach, Project Manager Jenn Stewart, Technical Coordinator. Value of Presentation. Penn State environment Our experiences Project planning Planning for implementation Implementation Ongoing responsibilities.

deana
Download Presentation

SIGUCCS Implementing an Information Privacy and Security Team April 1, 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SIGUCCSImplementing an Information Privacy and Security TeamApril 1, 2009 Mike Leach, Project Manager Jenn Stewart, Technical Coordinator

  2. Value of Presentation • Penn State environment • Our experiences • Project planning • Planning for implementation • Implementation • Ongoing responsibilities

  3. Penn State’s World • 24 campus locations across PA • Population • 83,000+ students • 23,000+ staff and faculty • Distributed network environment • Geographically distributed • Budget responsibility distributed

  4. Project Planning

  5. Justify the Need • Evolving threats • Increasing Federal and State statutes, business agreements • End-user awareness • Preserving institutional reputation • Practice does not match policy • Conduct gap analysis

  6. Develop a Project Plan • Identify most critical areas • Include gap analysis results • Identify key players • Administration • Team overseeing project • Representatives from various areas • Working groups • Incident response team

  7. Develop a Project Plan, cont’d 3. Include timeline 4. Awareness programs • Funding resources • Overall strategy for implementation

  8. PSU Project Plan • Multi-phase project • Phase I: Payment Card Industry Data Security Standards (PCI DSS) • Phase II: Personally Identifiable Information (PII) • Centralized services • Extension of project • Life after IPAS

  9. Pitching the Project Plan • Benchmark with other institutions • Support necessary from senior leadership • Show assessment results • How this fits in with overall security posture • Work with other institutional committees and groups • Approval – YES!

  10. AUDIENCE Share your Experience Who has a designed team and security project already in place?

  11. Planning for Implementation

  12. Raising Awareness • Necessary prior to implementation • Buy-in from Academic Leadership Council (ALC) • Offerings to institutional community • Classroom-style • Computer-based (online, offline) • Department or group meetings • Local/internal conferences • Campaign initiatives • Social networking utilities

  13. Awareness Efforts • Specific audience (required), later open to all • Content • Current initiatives, in depth • Compromise stats (internal & external) • Expectations • Assuming responsibility • Future initiatives - brief outline • Resources (internal & external)

  14. Serve as a Consultant • Identify your role • Provide consultation support • Maintain results • Gap analysis • Remediation efforts • Compliance progress

  15. Cultural Shift • Forbidden words • Handling vocal individuals • Support versus authority role • Area liaisons to support initiative • Process change

  16. Implementation

  17. Central Versus Distributed • Decision making • Examine infrastructure • Results from gap analysis • Feedback from awareness • Services, applications • Funding: department/unit versus centralized

  18. Funding Strategies • Reflect on departmental versus central discussion • Prioritize needs • Offer multiple solutions • Reorganize current budget • Pull resources from other areas • Transparency

  19. Review of Policies and Procedures • Internal versus institution-wide • Data classification scheme • Consider Federal and State legislation, business agreements • Current • Pending

  20. Ongoing Responsibilities

  21. AUDIENCE Share your Experience What are some of the security challenges your institution is facing?

  22. Compliance Assessments • Raise awareness • One week advance notice • Examine “said” security measures • Provide timeline for remediation • Involve senior leadership when necessary • Prepare for ramifications

  23. Notification Incident Response • Identify team • Map out a process • Pilot test regularly • Prepare for public exposure • Discuss reporting obligations

  24. Compromise Fallout • Data loss impact • Institution • Individual (ramifications) • Handling the media • Learn from other institution exposures • Use success stories

  25. Protect YOUR customers and YOUR institution Pizza anyone? • http://www.aclu.org/pizza/

  26. Rinse, Lather and Repeat • Develop a strategy • Involve key players • Raise awareness and educate • Increase security measures (stay ahead, mitigate risk) • Assess regularly (mitigate exposure) • Budget for security measures annually • Revise vocabulary

  27. Resources Educational • NIST: http://www.nist.gov/index.html • SANS: http://www.sans.org/ • Privacy Rights Clearinghouse: privacyrights.org • Directory of Data Breaches: dbloss.org Collaboration • IPAS: www.ipas.psu.edu • EDUCAUSE: http://www.educause.edu/ • http://www.aclu.org/pizza/

  28. Open Dialog Penn State University Information Privacy and Security (IPAS) Mike Leach, mjl9@psu.edu Jenn Stewart, jas72@psu.edu ipas@psu.edu | 814-867-1340 | www.ipas.psu.edu

More Related