User Tools

Site Tools


data_and_security_advisory

Meeting 1/19/2007

Notes

  • We (Joanne Agostinelli, Todd Houle, James Taft & Steve Machuga) will be scheduling follow-up meeting with high priority offices/departments to review security techniques and suggestions as outlined in Joanne, James & Todd's documentation.
  • Each group will continue to review their processes and implementation their recommendations.
  • James Taft will continue working on the credential protection recommendations and actions.
  • Ravi will take progress to Senior Staff.
  • Mike Rice asked about faculty security awareness (particularly around student grades). We will take up that concern for the Fall '07 semester.
  • Nate Peters mentioned that we need to stay on top of our vendors – to make sure they are adhering to proper security standards.
  • Nate asked that we accelerate laptop protection options.
  • Next Group Meeting TBD.

Agenda

The three groups will report on their progress.

Student - Anna van der Burg et al

Alumni - Deb Treister and Jane Jylkka

Human Resources - Pat Melley and Dan Pflederer

Areas of comment from our October 31st meeting are:

  • Types of Sensitive Data
  • Procedures for Sharing Data
  • Procedures for Storing Data (both Paper and Electronic)
  • Interfaces with outside organizations.

The output of the sub-committees should be a short document expanding.

ITS - Joanne Agostinelli, Barbara Spadacini and James Taft

  • Review of Administrative Departments and their security level - based on student, employee or financial data. - Steve

:non_acad_depts_ratings.xls

  • Present tutorial on basic procedures for proper data storage and practise - Joanne and Todd

:security_recommendations_for_desktop_and_laptop_computers1.doc :security_recommendations_for_desktop_and_laptop_computers_mac_version1.doc

* High level review of services that have security risks - James https://itsdoku.wesleyan.edu/doku.php?id=tss:credentialprotection:recommendations ##

## Accessible only to security committee members with added security (email username and password)

Notes from October 31st Data and Network Security Advisory Meeting

Next meeting of the Advisory Group will be: December 6th at 10:00 o'clock (see Meeting Maker). We will review the reports of the four sub-groups (see below).

SSN Audit 2006

  • Results of the audit can be reviewed through GLB Audit in the Administrative Applications section of your portfolio.
  • Specific recommendations from the audit will be emailed (or otherwise communicated) to the responsible individuals.

Working Groups

We agreed to form 4 separate groups:

  • Student information group headed by Anna van der Burg encompassing: Faculty, Registrar's Office, Health Services, Financial Aid, Admission, Student Accounts, Residential Life, Institutional Research and Academic Affairs.
  • HR/Benefits Group head by Dan Pflederer and including Financial Services and Academic Affairs.
  • Alumni Group headed by Deb Treister and Jane Jylkka.
  • ITS group headed by Barbara Spadaccini and Steve Machuga and including ITS staff and Michael Rice from Computer Science.
  • Eloise Glick and Paula Lawson may choose to form a fifth curriculum or Academic Affairs Group.

Student, HR and Alumni Groups

The Student, HR and Alumni groups will review their data and practises.

  • Types of Sensitive Data
  • Procedures for Sharing Data
  • Procedures for Storing Data (both Paper and Electronic)
  • Interfaces with outside organizations.

The output of the sub-committees should be a short document expanding upon the work of the initial SSN Audit.

ITS Group

Will publish policies and/or prepare tutorials on the following issues:

  • Store electronic documents on network drive (G: drive) in lower level directories with limited access.
  • Review network directory (G: drive) permissions periodically.
  • Password protect documents that have to be stored, but don’t have to be shared.
  • Don’t save passwords on your desktop.
  • Paper shredding options
  • Policies for retaining computer/directories of people who have left the university.
  • PGP Encryption of email & attachments
  • Move attachment folder to network directory (G: drive) for people/offices that regularly email sensitive information.
  • Offer service for scanning of laptops for sensitive data by ITS desktop support.
  • Periodic scans of non-secure directories for sensitive information
  • Implement encryption of laptop passwords

Additional Recommendations

  • Don’t store anything (electronically or on paper) that you don’t absolutely need to.
  • Remove sensitive data before saving documents if it’s not needed.
  • Paper documents should be stored in locked cabinets/locked offices?

Data and Network Security Accomplishments

  • Establishment of GLB coordinators.
  • Review Discussions with Financial Aid, Admission, Financial Services, HR, Registrar's Office.
  • Elimination of SSN from a number of interfaces and processes including:
  • Health Insurance Card
  • Bookstore Feed, Library, Public Safety Systems
  • Elimination Employee SSN's in data bridges
  • Masking of SSN on certain PS screens
  • Elimination of SSN's where possible from common PS views
  • Creation of the Gramm-Leach-Bliley Web Page. http://www.wesleyan.edu/its/glb/index.html . The GLB page is also linked off the Finance & Administration and Financial Service Pages. http://www.wesleyan.edu/finance/
  • HR has included GLB information in their new hire supervisors/managers checklist.
  • Implementation of InfiNet Credit Card Processing which has moved all CC processing off Wesleyan Networks.
  • Implement of Computer Network VLAN (Virtual Local Area Networks) which creates separate, logical segments of the network that help us to protect the institutional databases and internal servers from intrusion.
  • Data Transfer Methods - All file transfer methods must use Secure File Transfer Protocols.
  • SSL(Secure Socket Layer) encrypt clear text (including all passwords) as it passes over the Internet.
  • Diligent Application of MicroSoft, Oracle, Unix and Network Patches Oracle Patches (not new, but noteworthy).
  • Instituted Requirement to change passwords every 6 months
  • Implemented Application Locking feature in EP
  • SSN Audit conducted by administrative offices across campus.

Definition of Sensitive Data

  • Social Security Number
  • Credit Card Number
  • Compensation Information
  • Academic grades
  • Financial Aid Data
  • Non-Directory Information About Students
  • Curriculum/Advisory Data
data_and_security_advisory.txt · Last modified: 2007/01/25 14:54 (external edit)