20 Minutes with Bruce Edwards on securing sensitive data
(Originally presented by UofL Today for June 8, 2010)
A recently reported campus data breach shows why all University of Louisville faculty, staff and administrators need to be vigilant in securing data. A serious data breach could affect any department or unit that deals with confidential, sensitive or proprietary information. UofL Today asked Bruce Edwards, chief information security officer, what individuals can do on campus to reduce the risk of people having improper access to data.
Who is responsible for data security at UofL?
Basically, each department is. One of the university's greatest strengths, its flexibility in allowing departments and divisions the freedom to manage their internal operations with a high degree of independence, also means that each department must responsibly manage its sensitive information assets. The decentralized environment means that both the flexibility to operate and responsibility for effective risk management are incumbent on the department.
Are there policies to help them know how best to secure data?
Yes. UofL maintains comprehensive overall Information Security policies and standards that serve as baseline requirements for effective information security management - not just at the university level but also for each department or division. All university managers should use these policies as the basis for their departmental policies and procedures to maintain the confidentiality and integrity of the data entrusted to their custody.
All managers - by that you mean even those whose primary role is not a technical one?
Yes. All managers have a responsibility to protect sensitive information they or their department maintains or uses in the course of their departmental operations. Typically managers will work with their technical support staff to implement and maintain good data security practices.
Where do they start?
There are a few basic steps that can greatly enhance the security of sensitive data managed within each department. Each department's technical support personnel should be familiar with UofL's information security policies and, with the support of their department, should be able to implement these steps. The steps are simple, but they could very well require a lot of focus in departments with complex environments. (See "Department-level actions to help prevent a data breach" below for basic steps.)
What is the role of the Information Security Office?
The Information Security Office manages the university wide information security policy, risk assessment, audit, compliance and awareness program which is focused on electronically maintained sensitive information. We consult with units and offices on these topics (at no charge) and we also are available to speak at departmental meetings about information security. We can be reached at firstname.lastname@example.org or 852-8305.
Department-level actions to help prevent a data
See UofL's information security polices and standards
Network and Web Available Sensitive Information
- Identify and inventory all Web and Internet accessible sensitive information applications or sources.
- Assess critical need for this type of data to be available via Web or Internet.
- Verify properly restricted access to this information.
- Take down and remove all sensitive data and applications from Web/Internet accessibility that are not a critical need.
- Implement periodic review of all Web and Internet accessible sensitive information applications and verify ongoing proper functioning and restricted access.
- Ensure that adequate activity/audit logs are maintained for sensitive information and specifically PHI.
Laptop, Workstation, Portable Device Available Sensitive Information
- Identify and inventory all devices storing sensitive information.
- Assess critical need for this type of data to be available on the device.
- Remove all sensitive data from the device if it is not a critical need.
- Verify properly restricted access to this information (use encryption).
- Implement periodic review of all devices for sensitive information using criteria above.
- Verify ongoing proper functioning and restricted access.
Conduct ongoing education, awareness and training of all employees
- Privacy and Information Security Offices are available to conduct basic education and awareness training for this and related issues.
- The Information Security Office (ISO) will work with your department to conduct additional training for people who have technical responsibilities and/or the ability to publish information to the Web or who otherwise have the ability to make information accessible on the Internet.