====== Meeting 1/19/2007 ====== === Notes === * We (Joanne Agostinelli, Todd Houle, James Taft & Steve Machuga) will be scheduling follow-up meeting with high priority offices/departments to review security techniques and suggestions as outlined in Joanne, James & Todd's documentation. * Each group will continue to review their processes and implementation their recommendations. * James Taft will continue working on the credential protection recommendations and actions. * Ravi will take progress to Senior Staff. * Mike Rice asked about faculty security awareness (particularly around student grades). We will take up that concern for the Fall '07 semester. * Nate Peters mentioned that we need to stay on top of our vendors -- to make sure they are adhering to proper security standards. * Nate asked that we accelerate laptop protection options. * Next Group Meeting **TBD**. === Agenda === The three groups will report on their progress. === Student - Anna van der Burg et al === https://itsdoku.wesleyan.edu/doku.php?id=data_network_security:student ## === Alumni - Deb Treister and Jane Jylkka === https://itsdoku.wesleyan.edu/doku.php?id=data_network_security:alumni ## === Human Resources - Pat Melley and Dan Pflederer === https://itsdoku.wesleyan.edu/doku.php?id=data_network_security:hr_benefits ## === Areas of comment from our October 31st meeting are: === * Types of Sensitive Data * Procedures for Sharing Data * Procedures for Storing Data (both Paper and Electronic) * Interfaces with outside organizations. The output of the sub-committees should be a short document expanding. === ITS - Joanne Agostinelli, Barbara Spadacini and James Taft === * Review of Administrative Departments and their security level - based on student, employee or financial data. - Steve {{:non_acad_depts_ratings.xls|:non_acad_depts_ratings.xls}} * Present tutorial on basic procedures for proper data storage and practise - Joanne and Todd {{:security_recommendations_for_desktop_and_laptop_computers1.doc|:security_recommendations_for_desktop_and_laptop_computers1.doc}} {{:security_recommendations_for_desktop_and_laptop_computers_mac_version1.doc|:security_recommendations_for_desktop_and_laptop_computers_mac_version1.doc}} * High level review of services that have security risks - James https://itsdoku.wesleyan.edu/doku.php?id=tss:credentialprotection:recommendations ## **## Accessible only to security committee members with added security (email username and password) ** ====== Notes from October 31st Data and Network Security Advisory Meeting ====== Next meeting of the Advisory Group will be: December 6th at 10:00 o'clock (see Meeting Maker). **We will review the reports of the four sub-groups (see below).** ===== SSN Audit 2006 ===== * Results of the audit can be reviewed through GLB Audit in the Administrative Applications section of your portfolio. * Specific recommendations from the audit will be emailed (or otherwise communicated) to the responsible individuals. ===== Working Groups ===== We agreed to form 4 separate groups: * Student information group headed by **Anna van der Burg** encompassing: Faculty, Registrar's Office, Health Services, Financial Aid, Admission, Student Accounts, Residential Life, Institutional Research and Academic Affairs. * HR/Benefits Group head by **Dan Pflederer** and including Financial Services and Academic Affairs. * Alumni Group headed by **Deb Treister** and **Jane Jylkka**. * ITS group headed by **Barbara Spadaccini** and **Steve Machuga** and including ITS staff and **Michael Rice** from Computer Science. * **Eloise Glick** and **Paula Lawson** may choose to form a fifth curriculum or Academic Affairs Group. ===== Student, HR and Alumni Groups ===== The Student, HR and Alumni groups will review their data and practises. * Types of Sensitive Data * Procedures for Sharing Data * Procedures for Storing Data (both Paper and Electronic) * Interfaces with outside organizations. The output of the sub-committees should be a short document expanding upon the work of the initial SSN Audit. ===== ITS Group ===== Will publish policies and/or prepare tutorials on the following issues: * Store electronic documents on network drive (G: drive) in lower level directories with limited access. * Review network directory (G: drive) permissions periodically. * Password protect documents that have to be stored, but don’t have to be shared. * Don’t save passwords on your desktop. * Paper shredding options * Policies for retaining computer/directories of people who have left the university. * PGP Encryption of email & attachments * Move attachment folder to network directory (G: drive) for people/offices that regularly email sensitive information. * Offer service for scanning of laptops for sensitive data by ITS desktop support. * Periodic scans of non-secure directories for sensitive information * Implement encryption of laptop passwords ===== Additional Recommendations ===== * Don’t store anything (electronically or on paper) that you don’t absolutely need to. * Remove sensitive data before saving documents if it’s not needed. * Paper documents should be stored in locked cabinets/locked offices? ===== Data and Network Security Accomplishments ===== * Establishment of GLB coordinators. * Review Discussions with Financial Aid, Admission, Financial Services, HR, Registrar's Office. * Elimination of SSN from a number of interfaces and processes including: * Health Insurance Card * Bookstore Feed, Library, Public Safety Systems * Elimination Employee SSN's in data bridges * Masking of SSN on certain PS screens * Elimination of SSN's where possible from common PS views * Creation of the Gramm-Leach-Bliley Web Page. http://www.wesleyan.edu/its/glb/index.html . The GLB page is also linked off the Finance & Administration and Financial Service Pages. http://www.wesleyan.edu/finance/ * HR has included GLB information in their new hire supervisors/managers checklist. * Implementation of InfiNet Credit Card Processing which has moved all CC processing off Wesleyan Networks. * Implement of Computer Network VLAN (Virtual Local Area Networks) which creates separate, logical segments of the network that help us to protect the institutional databases and internal servers from intrusion. * Data Transfer Methods - All file transfer methods must use Secure File Transfer Protocols. * SSL(Secure Socket Layer) encrypt clear text (including all passwords) as it passes over the Internet. * Diligent Application of MicroSoft, Oracle, Unix and Network Patches Oracle Patches (not new, but noteworthy). * Instituted Requirement to change passwords every 6 months * Implemented Application Locking feature in EP * SSN Audit conducted by administrative offices across campus. ===== Definition of Sensitive Data ===== * Social Security Number * Credit Card Number * Compensation Information * Academic grades * Financial Aid Data * Non-Directory Information About Students * Curriculum/Advisory Data