IT SECURITY POLICY AND COMPLIANCE

07/22/2013

Connie BarlingInformation Security Officer

Alice MaginnisAssociate University Counsel

Robin KnappComptrollers, Redbird Card Office

Jess RayRegistrar

AGENDA

• 9.8 Policy and Procedures• Compliance• PCI• FERPA

9.8 POLICY AND PROCEDURES

9.8 POLICY ON SECURITY OF INFORMATION

TECHNOLOGY RESOURCES AND SYSTEMS

Framework to protect Illinois State University’s information technology resources, computers, networking systems, and data.

SECURING THE DATA9.8.1 PROCEDURE ON DATA CLASSIFICATION

Data Classifications

•Highly Restricted

•Restricted

•Unrestricted

SECURING THE DATA9.8.2 PROCEDURE FOR SECURING AND ACCESSING EACH

DATA/SYSTEM CLASSIFICATION

Data Resource Types •Non-Electronic Media

•Electronic Media–University owned, maintained, or contracted servers–University owned, maintained, or contracted workstations–Personally owned workstations

SECURING THE DATADATA RESOURCE TYPES – CONT.

•Electronic Media – cont.–University owned or maintained laptop computers–Personally owned laptop computers–University owned or maintained mobile devices–Personally owned mobile devices–University owned, maintained, or contracted printers, scanners/faxes, multi-function devices, and electronic surveillance devices

9.8.2 identifies Standards Working GroupsThese are being developed by a team consisting of AT and University Security personnel

•Account and Password Standard

•Minimum Security Standards for Servers

•Minimum Security Standard for Workstations

•Minimum Security Standard for Laptops Minimum Security Standard for Mobile Devices

•Minimum Security Standard for Printers/Scanners/Faxes, and Multi-Function Devices.

•Encryption Standard Remote Access Standard

SECURING IT RESOURCES AND SYSTEMS

• Computer systems and other electronic devices store information on a variety of media. It is important that all licensed software, "highly restricted" data, and "restricted" data are thoroughly sanitized from University-owned devices (computers, tablets, smart phones, etc.) before they are surplussed.

• The State of Illinois requires that all surplussed equipment be disposed of in accordance with the Data Security on State Computers Act.

DATA DISPOSAL

Knowledge base article on the Technology Support Center website

OVERVIEW OF SECURITY ROLES9.8.3 PROCEDURES FOR DEFINING ENTERPRISE DATA REPOSITORY MANAGEMENT ROLES AND RESPONSIBILITIES•Data Steward Council•Data Steward •Functional Owners •Data Custodians •Unit Security Liaisons •Information Security Officer •Information Architecture Team •Information Technology Security Incident Response Team (ITSIRT)

USLs principal contact for data security related matters, request access for their unit•Request new or changes data access for unit•Security awareness•Review access list

ACCESS REQUEST9.8.4 PROCEDURES FOR REQUESTING AND GRANTING ACCESS TO THE ENTERPRISE DATA REPOSITORY

ACCESS REVIEW 9.8.5 PROCEDURES FOR NON-AFFILIATED INDIVIDUALS REQUESTING ACCESS

• Must be sponsored • Method• Responsibilities

What is an incidentInformation technology security incident - an event that: •Impacts or has the potential to impact the confidentiality, integrity, or availability of ISU Information Technology Resources and Systems. •Violates state or federal law or the policies and procedures of the University.

INCIDENT REPORTING9.8.6 PROCEDURE FOR IT SECURITY INCIDENT REPORTING

Who should report an IT security incident?Any individual or group who in the course of using ISU Information Technology Resources and Systems observes an information technology security incident shall report that incident.

INCIDENT REPORTING –

Where to report the incident?

Overview of IT Security Incident Reporting•Criminal Activity – ISU Police•Copyright violations – copyright@ilstu.edu•Violations of the Appropriate Use Policy – abuse@ilstu.edu•All other incidents – Unit Security Liaison

INCIDENT REPORTING –

When a USL reports an IncidentThe classification of the Data involved in the Incident determines the urgency of reporting the Incident.

– Highly Restricted Data: Call 438-ITSR (438-4877) Immediately! Contain the Incident

• DO NOT POWER OFF THE SYSTEM

• Remove the system from the network if possible

• Wait to be contacted by the IT Security Incident Response Team (ITSIRT)

INCIDENT REPORTING –

When a USL reports an Incident•Restricted Data: Complete the online IT Security Incident Report or call 438-ITSR

– Contain the Incident• DO NOT POWER OFF THE SYSTEM• Remove the system from the network if possible

– Wait to be contacted by the IT Security Incident Response Team (ITSIRT)

•Unrestricted Data: Complete the online IT Security Incident Report

– Repair the system and restore the service.

INCIDENT REPORTING –

• Guiding Principles• Data Capture and Storage• Data Integrity, Validation, and Correction• Data Extracts and Reporting• Data Management• System Administration

SECURING IT RESOURCES AND SYSTEMS9.8.7 PROCEDURES FOR ADMINISTRATION OF THE ENTERPRISE DATA REPOSITORY

ESIGNATURES9.8.8 ELECTRONIC SIGNATURE PROCEDURES

• Risk Assessment and implementation method

• Responsibilities• Developing and Implementing the

Process• Compliance

ADMINISTRATIVE TECHNOLOGIES SECURITY WEB SITEAT.SHAREPOINT.ILLINOSSTATE.EDU/SECURITY

COMPLIANCE

LEGAL PROTECTIONS FOR DATA

• Electronic records and data are subject to numerous state & federal laws designed to protect privacy of sensitive information.

• University Data Classifications & Applicable Laws/Regulations – “Highly Restricted Data”

• Social Security Numbers• Health Information• Other Personal Information• Financial Data

– “Restricted Data”• FERPA Protected (Student Records)• Other Data

HIGHLY RESTRICTED DATA

• Personal Information– Social Security Number– Birthdate (month, day, year)– Certificate/License Number– State Identification Card Number– Directory Information Restricted by

employee or student– Disability status– Driver’s License Number– Genetic or Biometric Information or

Identifiers– Marital Status– Medical records and personal health

information

• Financial Information– Account payment history– Application fee waiver– Bank account number/financial account

numbers– Credit or Debit Card Number– Redbird Account Number– Donation Information– Garnishment – Student Loan Accounts and

Information– Federal Student Aid Application and

Information

• University Records

– Human Resource Benefits Records– Job action material– Background Checks– Payroll information– Internal Audit Records– Investigator ID– Electronic Surveillance– Library Material Checked Out– Location or management of hazardous

materials– Network diagrams– Passwords, passphrases, PIN– Police Reports Detail– Personally identifiable information (PII)

human subjects– Student Application Criminal History (self-

reported) Status– Counseling Center Records

RESTRICTED DATA• Other Data

– Facility Availability– Facility Floor Plans/Diagrams– Facility Maintenance Records– Facility Work Orders– Gender– Military Status– Personnel Record– Race/Ethnicity– Staff Calendar/Scheduling– Staff Sick and Vacation Time

Used– Student Course Evaluations– University ID data (employee)– Veteran Status– Wellness Center Program

Information– Work Authorization (I-9)

• FERPA Protected

– Community Rights and Responsibilities Records

– Dining Hall Usage

– Electronic Door Access Records (if student)

– Student Fitness Center Membership and Usage

– Student Evaluations

– Student Grades

– Student Schedules

– University ID data (student)

– Veteran status (student)

• University Policy 1.13 Identity protectionSSNs can be collected for ONLY limited purposes required by law such as:

• Mandatory IRS withholding & reporting from students, vendors, employees.

• Entering into financial transactions.

– SSN Disclosure ONLY permitted with consent or when required by law.

• Collecting Social Security Numbers When Required By Law

– A statement must be provided explaining the purpose of collecting the number and whether the request is voluntary or mandatory.

SOCIAL SECURITY NUMBER

• SSNs may not:– Be publicly posted or displayed– Be transmitted over the Internet, unless the connection is secure or

the SSN is encrypted. SSN’s should not be required to be used to access University resources.

– Be e-mailed or otherwise delivered to the individual, except when:• Required by law or application / enrollment materials. 

– Be used for any purpose other than the purpose for which it was collected

• Maintaining Records Containing Social Security Numbers:

– Must be maintained ONLY by University employees required to have access to the numbers in a confidential format.

– Numbers must be redacted if released in a public format.– Records must be disposed in a secure fashion and follow the

University Record Retention Policy (7.1.55).

SOCIAL SECURITY NUMBER

Specific health information is protected by federal and state law with more stringent confidentiality and disclosure requirements

•Health Insurance Portability and Accountability Act (HIPAA) for Covered Health Units•Illinois Mental Health Confidentiality Act and Developmental Disabilities Confidentiality Act•Physician and Patient Privilege•Americans with Disabilities Act (ADA)

HEALTH INFORMATION

Other specific data/information is protected by additional federal and state law with more stringent confidentiality and disclosure requirements

•Personal Information Protection Act•Personnel Record Review Act•Biometric Information Privacy Act•Genetic Information Privacy Act•Library Records Confidentiality Act

OTHER PERSONAL INFORMATION

• Personal Information Protection Act• Red Flags Rule• Payment Card Industry Data Security

Standards(Credit Card Transactions)

FINANCIAL DATA PROTECTIONS

• FTC Rule designed to create systems to prevent, detect & respond appropriately to identity theft.

• University Identity Theft Prevention Policy 1.4 and Procedure 1.4.1

• Protects information associated with University accounts that could be used to identify a specific person such as:

– Name, Address, Phone, E-mail, Date of Birth.– Identifying Numbers: Driver’s license, Passport Number, SSN, FEIN– Account number(s)– Computer Information: IP Address, Routing Code

FINANCIAL DATA:RED FLAGS RULE

• A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.

• If Red Flags are detected, please consult with your supervisor regarding appropriate steps to take to prevent identity theft.

• The University should maintain records regarding Red Flags and responses.

FINANCIAL DATA:RED FLAGS RULE

PCI

• What are the Payment Card Industry Standards?

• Requirements for Departments

• Where to get information?

• What to do if there is a security breach?

FINANCIAL DATA: PCIROBIN KNAPP

WHAT IS PCI?

• Payment Card Industry (PCI)• Data Security Standards (DSS) set up

by Visa and MasterCard. • All credit card companies in the U.S.

have endorsed the Standard.• Created so there would be common

industry security requirements.

WHY FOLLOW PCI STANDARDS?• Protect customers against fraud and

identity theft• Mandated by credit card companies –

“If you accept our credit card, you must follow these rules”

• For the University’s protection to avoid huge penalties and bad publicity

TWELVE REQUIREMENTS1. Install and maintain a firewall

configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

TWELVE REQUIREMENTS3. Protect stored cardholder data

4.Encrypt transmission of cardholder data across open, public networks.

5.Use and regularly update anti-virus software or programs.

6.Develop and maintain secure systems and applications.(testing, documentation, back-up)

TWELVE REQUIREMENTS7. Restrict access to cardholder

data by business need-to know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data

TWELVE REQUIREMENTS10.Track and monitor all access to

network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for employees and contractors

REQUIRED OF DEPARTMENTS• Pre-approval on all software

purchases with credit card capabilities• Signature forms for all new employees

(updated every year)• Yearly training (every spring)• Update Business Practices (yearly)• Let E-Commerce Committee know if

anything changes (procedures; staff)

REQUIRED OF DEPARTMENTS• TouchNet Applications

– uStores– uPay – ONLY ENTER CREDIT CARD

PAYMENTS ON SECURE, DEDICATED LAPTOPS OR WORKSTATIONS PROVIDED BY ADMINISTRATIVE TECHNOLOGIES.

REQUIRED OF DEPARTMENTS• Don’t store full credit card numbers,

exp. dates, PINs, or security codes.• Settle credit card machines nightly

and keep secure.• Don’t transmit credit card numbers via

e-mail or networked fax machines.• Don’t print full credit card numbers on

receipts.

REQUIRED OF DEPARTMENTS• All credit card processing must be approved

by the E-Commerce Committee

– Approved 3rd party software– Credit Card machines provided by Global– TouchNet– Dedicated laptops for data entry– Only mobile device approved is the

cellular omni from Global

REQUIRED OF DEPARTMENTS• Square and other card readers

that attach to systems (laptops, cell phones, iPads, etc.) NOT approved

• Payments must go through the University

WHERE TO GET INFORMATION• Comptroller’s Website (A-Z, PCI)

• E-Commerce Committee– Robin Knapp– Tom Shadid– Dave Carson– Tim Flynn– Ryan Grahs– Connie Barling– Rendi Cottrell– Paul Unsbee– Adam Listek

WHAT TO DO IF THERE’S A BREACH• Suspected or confirmed security breach

(credit card numbers have been compromised)

• Call the Technology Support Center: 438-4357 (HELP)

• Comptroller’s Office will work with department to determine extent of the breach

• Comptroller’s Office may need to contact Visa, Local FBI, and U.S. Secret Service

FERPA IN 10MIN.

USL Training Session

WHAT IS FERPA?• The Family Educational Rights & Privacy

Act of 1974 (FERPA) sets forth requirements regarding the privacy of student records.

• Under FERPA students have the right to:-Inspect & review their education records-Request to amend their education

records-Limit the disclosure of personally identifiable information (aka directory

information)

WHO DOES FERPA PROTECT?

• FERPA protects the education records of any currently or formerly enrolled student regardless of their age or parental dependency status.

• FERPA does not apply to:• Individuals who have applied but have

not yet attended• Deceased students

RECORDS ARE…• Education Records are records that are:

• Directly related to a student• Maintained by an educational agency or

institution or by a party acting for the agency or institution.

• Records are any information maintained in any way, including, but not limited to:

• Handwriting, Video or Audio Tape, Computer Media,Film, Print and Microfilm/Microfiche.

EXCEPTIONS TO EDUCATION RECORDS

• Sole Possession Records-Those records or private notes held by a school official that aren’t accessible or related to other staff.

• Law Enforcement Records-Records created/maintained for a law enforcement purpose

• Employment Records

RECORDS EXCEPTIONS CONT.

• Medical Records-Records made and maintained in the course of treatment and disclosed only to those individuals providing treatment.

• Non-Current Student Records-Records that only contain information about a student after he or she is no longer at the institution (i.e. Alumni Records).

SO WHAT INFORMATION CAN WE DISCLOSE?

• As long as the student has not requested a restriction, we can release a student’s directory information without violating FERPA.

• Directory information is information that if disclosed, is not generally considered harmful or an invasion of privacy.

DIRECTORY INFORMATION AT ISU

• Student’s Name• Address (local & home)• Telephone Listing (local & home)• Email Address• Date & Place of Birth• Major Field of Study• Dates of Attendance• Grade level (Fr, So, etc.)• Enrollment Status (UG, GR, full-time, part-time,

etc)• Participation in officially recognized sports and/or

activities

DIRECTORY INFORMATION CONT.

• Weight & Height of Athletic Team Members• Target Graduation Date• Degrees Earned• Merit Honors and/or Awards Received• Most Recent Educational Agency or Institution

Attended

• Signed and dated written consent from the student is required to disclose information not deemed as directory in nature.

WHO MAY HAVE ACCESS TO STUDENT

INFORMATION?• The student and any individual/entity who has the student’s written permission – *

• School officials (as deemed by the University) who have a legitimate educational interest

• Parents of a dependent student as defined by the Internal Revenue Code - *

• A person in response to a lawfully issued subpoena/court order (University should try to inform the student first)

• * May be able to provide external entity and parents but not required to provide

WHEN IS CONSENT NOT NEEDED?

Consent is not needed for disclosure of information to:

• Release directory information• School Officials who have a legitimate

educational interest• Federal, state & local authorities involving an

audit or evaluation of compliance with educational programs

• In connection with financial aid, including Veterans’ benefits

• Organizations conducting studies for or on behalf of an educational institution

WHEN IS CONSENT NOT NEEDED CONT.

• Accrediting organizations

• Parents of a dependent student

• Comply with a judicial order or subpoena

• In a health or safety emergency

• Release the results of a disciplinary hearing to an alleged victim of a violent crime

POSTING GRADES

• Posting of grades and other non-directory information in a public place without written consent of the student is a violation of federal law.– Do not leave graded papers in a

hallway for students.

LETTERS OF RECOMMENDATION• If non-directory record information

is used in the letter then you need the students written release.

• If you use observations or directory information and student does not have a restriction then you do not need the written release.

ADDITIONAL RESOURCES

AACRAOwww.aacrao.org

US Department of Educationwww.ed.gov/policy/gen/guid/fpco/index.html

Office of the University Registrarwww.registrar.ilstu.edu

QUESTIONS?