• We (Joanne Agostinelli, Todd Houle, James Taft & Steve Machuga) will be scheduling follow-up meeting with high priority offices/departments to review security techniques and suggestions as outlined in Joanne, James & Todd's documentation.
• Each group will continue to review their processes and implementation their recommendations.
• James Taft will continue working on the credential protection recommendations and actions.
• Ravi will take progress to Senior Staff.
• Mike Rice asked about faculty security awareness (particularly around student grades). We will take up that concern for the Fall '07 semester.
• Nate Peters mentioned that we need to stay on top of our vendors – to make sure they are adhering to proper security standards.
• Nate asked that we accelerate laptop protection options.
• Next Group Meeting TBD.

The three groups will report on their progress.

https://itsdoku.wesleyan.edu/doku.php?id=data_network_security:student ##

https://itsdoku.wesleyan.edu/doku.php?id=data_network_security:alumni ##

https://itsdoku.wesleyan.edu/doku.php?id=data_network_security:hr_benefits ##

• Types of Sensitive Data
• Procedures for Sharing Data
• Procedures for Storing Data (both Paper and Electronic)
• Interfaces with outside organizations.

The output of the sub-committees should be a short document expanding.

• Review of Administrative Departments and their security level - based on student, employee or financial data. - Steve

:non_acad_depts_ratings.xls

• Present tutorial on basic procedures for proper data storage and practise - Joanne and Todd

:security_recommendations_for_desktop_and_laptop_computers1.doc :security_recommendations_for_desktop_and_laptop_computers_mac_version1.doc

* High level review of services that have security risks - James https://itsdoku.wesleyan.edu/doku.php?id=tss:credentialprotection:recommendations ##

## Accessible only to security committee members with added security (email username and password)

Next meeting of the Advisory Group will be: December 6th at 10:00 o'clock (see Meeting Maker). We will review the reports of the four sub-groups (see below).

• Results of the audit can be reviewed through GLB Audit in the Administrative Applications section of your portfolio.
• Specific recommendations from the audit will be emailed (or otherwise communicated) to the responsible individuals.

We agreed to form 4 separate groups:

• Student information group headed by Anna van der Burg encompassing: Faculty, Registrar's Office, Health Services, Financial Aid, Admission, Student Accounts, Residential Life, Institutional Research and Academic Affairs.
• HR/Benefits Group head by Dan Pflederer and including Financial Services and Academic Affairs.
• Alumni Group headed by Deb Treister and Jane Jylkka.
• ITS group headed by Barbara Spadaccini and Steve Machuga and including ITS staff and Michael Rice from Computer Science.
• Eloise Glick and Paula Lawson may choose to form a fifth curriculum or Academic Affairs Group.

The Student, HR and Alumni groups will review their data and practises.

• Types of Sensitive Data
• Procedures for Sharing Data
• Procedures for Storing Data (both Paper and Electronic)
• Interfaces with outside organizations.

The output of the sub-committees should be a short document expanding upon the work of the initial SSN Audit.

Will publish policies and/or prepare tutorials on the following issues:

• Store electronic documents on network drive (G: drive) in lower level directories with limited access.
• Review network directory (G: drive) permissions periodically.
• Password protect documents that have to be stored, but don’t have to be shared.
• Don’t save passwords on your desktop.
• Paper shredding options
• Policies for retaining computer/directories of people who have left the university.
• PGP Encryption of email & attachments
• Move attachment folder to network directory (G: drive) for people/offices that regularly email sensitive information.
• Offer service for scanning of laptops for sensitive data by ITS desktop support.
• Periodic scans of non-secure directories for sensitive information
• Implement encryption of laptop passwords

• Don’t store anything (electronically or on paper) that you don’t absolutely need to.
• Remove sensitive data before saving documents if it’s not needed.
• Paper documents should be stored in locked cabinets/locked offices?

• Establishment of GLB coordinators.
• Review Discussions with Financial Aid, Admission, Financial Services, HR, Registrar's Office.
• Elimination of SSN from a number of interfaces and processes including:
• Health Insurance Card
• Bookstore Feed, Library, Public Safety Systems
• Elimination Employee SSN's in data bridges
• Masking of SSN on certain PS screens
• Elimination of SSN's where possible from common PS views

• Creation of the Gramm-Leach-Bliley Web Page. http://www.wesleyan.edu/its/glb/index.html . The GLB page is also linked off the Finance & Administration and Financial Service Pages. http://www.wesleyan.edu/finance/
• HR has included GLB information in their new hire supervisors/managers checklist.
• Implementation of InfiNet Credit Card Processing which has moved all CC processing off Wesleyan Networks.
• Implement of Computer Network VLAN (Virtual Local Area Networks) which creates separate, logical segments of the network that help us to protect the institutional databases and internal servers from intrusion.
• Data Transfer Methods - All file transfer methods must use Secure File Transfer Protocols.
• SSL(Secure Socket Layer) encrypt clear text (including all passwords) as it passes over the Internet.
• Diligent Application of MicroSoft, Oracle, Unix and Network Patches Oracle Patches (not new, but noteworthy).
• Instituted Requirement to change passwords every 6 months
• Implemented Application Locking feature in EP
• SSN Audit conducted by administrative offices across campus.

• Social Security Number
• Credit Card Number
• Compensation Information
• Academic grades
• Financial Aid Data
• Non-Directory Information About Students
• Curriculum/Advisory Data