1 / 9

Security Awareness Training: Data Owners

liv
Download Presentation

Security Awareness Training: Data Owners

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Security Awareness Training: Data Owners

    2. Definition VITA 501-01, p. 8 2.2.8 Data Owner The Data Owner is the agency manager responsible for the policy and practice decisions regarding data, and is responsible for the following: 1. Evaluate and classify sensitivity of the data. 2. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. 3. Communicate data protection requirements to the System Owner. 4. Define requirements for access to the data.VITA 501-01, p. 8 2.2.8 Data Owner The Data Owner is the agency manager responsible for the policy and practice decisions regarding data, and is responsible for the following: 1. Evaluate and classify sensitivity of the data. 2. Define protection requirements for the data based on the sensitivity of the data, any legal or regulatory requirements, and business needs. 3. Communicate data protection requirements to the System Owner. 4. Define requirements for access to the data.

    3. Take Full Ownership Primary focus is to assume responsibility: As the data owner, it is your responsibility for it and to dictate how it is handled.Primary focus is to assume responsibility: As the data owner, it is your responsibility for it and to dictate how it is handled.

    4. Comunication Communicate with the System Owner Regulations Policy Access Control Reviewing Risk Assessment, Business Continuity Disposal Communicate with end-users Communicate with the System Owner Regulations Policy Access Control Reviewing Risk Assessment, Business Continuity Disposal Communicate with end-users

    5. Regulations & Policies What regulations, whether federal, state, local or organizational apply to your data: Federal: FERPA-Family Educational Rights and Privacy Act http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html PCI DSS-Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml HIPAA-Health Insurance Portability and Accountability Act http://www.hhs.gov/ocr/privacy/ State/Regional: DHRM-Department of Human Resource Management http://www.dhrm.virginia.gov/ SACS-Southern Association of Colleges and Schools http://www.sacs.org/ SCHEV-State Council of Higher Education for Virginia http://www.schev.edu/ VITA ITRM Standard SEC501-01 http://www.vita.virginia.gov/uploadedFiles/Library/PSGs/IT_Security_Standard_501_01_101909_v2.pdf COV ITRM Standard SEC514-03 Removal of Commonwealth Data from Electronic Media Standard http://www.vita.virginia.gov/uploadedFiles/Library/PSGs/Data_Removal_Standard_514_03%2010_07_2008_r3.pdf NSU: Acceptable Use of Technological Resources http://www.nsu.edu/policies/pdf/60_201.pdf What regulations, whether federal, state, local or organizational apply to your data: Federal: FERPA-Family Educational Rights and Privacy Act http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html PCI DSS-Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml HIPAA-Health Insurance Portability and Accountability Act http://www.hhs.gov/ocr/privacy/ State/Regional: DHRM-Department of Human Resource Management http://www.dhrm.virginia.gov/ SACS-Southern Association of Colleges and Schools http://www.sacs.org/ SCHEV-State Council of Higher Education for Virginia http://www.schev.edu/ VITA ITRM Standard SEC501-01 http://www.vita.virginia.gov/uploadedFiles/Library/PSGs/IT_Security_Standard_501_01_101909_v2.pdf COV ITRM Standard SEC514-03 Removal of Commonwealth Data from Electronic Media Standard http://www.vita.virginia.gov/uploadedFiles/Library/PSGs/Data_Removal_Standard_514_03%2010_07_2008_r3.pdf NSU: Acceptable Use of Technological Resources http://www.nsu.edu/policies/pdf/60_201.pdf

    6. Access Controls Define who has access and how: Inform System Owner and admins as to what they need in order to protect VITA SEC501-01 Section 5 (p.26) Least privelege AAA Removing AAA Changes in AAA Shared accounts Local Admin rights Etc. NSU Password Policy 62.002 http://www.nsu.edu/policies/pdf/62-002ComputeSystemsPasswordsVer16.pdf Who can get to the data, when, how, permissions applied to that data Remote Access allowed? How to protect data at rest (not used or moving) Archives Not accessed often Does the Data need to be Encrypted How to protect data in motion (USB, Printing, memory) Does the Data need to be Encrypted System interoperability/sharing Define who has access and how: Inform System Owner and admins as to what they need in order to protect VITA SEC501-01 Section 5 (p.26) Least privelege AAA Removing AAA Changes in AAA Shared accounts Local Admin rights Etc. NSU Password Policy 62.002 http://www.nsu.edu/policies/pdf/62-002ComputeSystemsPasswordsVer16.pdf Who can get to the data, when, how, permissions applied to that data Remote Access allowed? How to protect data at rest (not used or moving) Archives Not accessed often Does the Data need to be Encrypted How to protect data in motion (USB, Printing, memory) Does the Data need to be Encrypted System interoperability/sharing

    7. Review Data protection is no good without regular review: VITA SEC501-01 Section 5 (p.26) “Do you know who has access and what kind of access?” (R, RW) “Who is checking those that can write?” “Protecting it?” How often Audit point Be prepared to be asked again The Access controls listed previously Data protection is no good without regular review: VITA SEC501-01 Section 5 (p.26) “Do you know who has access and what kind of access?” (R, RW) “Who is checking those that can write?” “Protecting it?” How often Audit point Be prepared to be asked again The Access controls listed previously

    8. Risk/Business Continuity Develop with the system Owner Classify data Sensitive system is one with any data where risk is assessed as High in any of the Confidentiality, Integrity, and Availability of data.Develop with the system Owner Classify data Sensitive system is one with any data where risk is assessed as High in any of the Confidentiality, Integrity, and Availability of data.

    9. Social Engineering Social Engineering Weakest link Phishing Never give out your password Lock your computer Dumpster Diving/Shredding Social Engineering Weakest link Phishing Never give out your password Lock your computer Dumpster Diving/Shredding

More Related