Data stewards will work together with the Office of Information Technology to establish security/access guidelines for data.
7/11/07 - Johnie Sullivan , OIT Security Officer, attended the July 11 DGCouncil meeting to discuss the OIT security policies, with particular focus on Policy 1, and to take questions from the group. He framed his presentation by explaining that the focus is on compliance, and the alerts that go out when we have a breach.
Capstone Policy
There is one capstone policy that says that UNLV will use computer security to protect assets. Other policies are written to enforce this, and to focus on specifics.
Data stewards are front line for information need. The security office is here to help. Data stewards will look at the data within their control, and classify it. Together with the security office, will look at how to protect it.To accomplish everything, tackle one step at a time.
The security office has just completed an audit at the Dental School. Johnie uses a 44 page audit check list, although not all parts apply in all situations.
Policy 1 has a number of parts.
Policy standards are the requirements that have to be met to satisfy the policy. These are broad standards. Arrive at them by considering privacy and confidentiality, and then classifying the data accordingly.
The policy goes beyond the “official” data base to include copies of data that reside on laptops and desktops. Even desktops with student data have to be FERPA compliant. There are secondary doors to the data. Data can go outside the data base when it is needed.
Policy 2 – Asset classification
A handbook goes with it. Risk assessment also has a handbook. In that you define threats, look for vulnerabilities of the data – hardware, software, physical storage space. Look for what can go wrong.
The handbook is not on the web site – never tell the opponent how to break-in. Don’t explain what the sensitive data is and how it has been secured.
Retention and destruction policies are important. In some places paper records are a problem. Finance uses the guidelines for NV archives. Student records could fall to the hands of someone who just throws them away.
6/13/07 - Don Diener provided an introduction to the data security policies developed by OIT for the Data Governance Council - the introduction to the program included the following:
Board of Regents mandate
Description of the data security program that OIT is developing
Overview of the policies that have been drafted
Description of data stewardship role
Reference to web site so that members can look at them on their own time
Access to OIT Security policy information is available at the following web address: http://www.unlv.edu/infotech/infosec/ipolicy.html