1 / 12

Screening for VA Sensitive Data in UF Custody

Screening for VA Sensitive Data in UF Custody. For UF & VA Researchers August 14 & 15, 2007. Agenda. Why We Are Here Plan VA Data Custody Screening Survey Purpose Identification Affiliation (particularly UF) Review of identifiers Location of your data Result of your survey

shelby
Download Presentation

Screening for VA Sensitive Data in UF Custody

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Screening for VA Sensitive Data in UF Custody For UF & VA Researchers August 14 & 15, 2007

  2. Agenda • Why We Are Here • Plan • VA Data Custody Screening Survey • Purpose • Identification • Affiliation (particularly UF) • Review of identifiers • Location of your data • Result of your survey • Information Security Self-assessment • Certification & Accreditation

  3. Why We Are Here • Per your IRB, you are a potential keeper of VA sensitive data. • The VA sensitive data may reside at the UF. • There are laws that protect personally identifiable data. • The biggest information security non-incident ever. • We are at war.

  4. Plan • Research VA information security requirements - Done • Screen research projects for VA sensitive data and UF affiliation - Started • Determine appropriate approach - Started • Purge VA sensitive data from UF resources • Move VA sensitive data in VA network • Pursue FISMA compliance • Security self-assessment • Implement required countermeasures • Certification and accreditation • Document all due diligence and decisions • Repeat

  5. VA Data CustodyScreening Survey Purpose • Determine and document if you have custody of VA sensitive data on UF premises. Identification • Person filling out the survey • PI, Sub-PI, Co-PI • VA data in your custody? (Q 1) • Project & IRB#

  6. VA Data CustodyScreening Survey Affiliation with UF • Anyone on the project? (Q 2) • Use of any UF resources? (Q 3) Data • Personally identifiable information (Qs 4-31) • De-identification, study number and x-ref file (Qs 32-34)

  7. VA Data CustodyScreening Survey Location of VA Sensitive Data • X-ref file if one exists (Q 35) • Personally identifiable VA data (Q 36) • Removable Media (Q 37) • End user computing device (Q 38 – 40) Attest your answers are accurate by signing.

  8. Survey Result Self-assess with UF HSC Security Office if • Q 1 = Yes or Unsure, and • Q 2 or Q 3 = Yes or Unsure Self-assess with VA Security Office if • Q 1 = Yes or Unsure, and • Q 2 and Q 3 = No Please turn in your survey if complete.

  9. Access Control* Audit and Accountability* Awareness & Training Certification, Accreditation and Security Assessment Configuration Management* Contingency Planning* Identification and Authentication* Incident Response Maintenance* Media Protection* Physical and Environmental Protection* Planning Personnel Security Risk Assessment System and Communications Protection* System and Information Integrity* System and Services Acquisition* Information SecuritySelf-assessments Using NIST 800-53A – Assess 17 Areas of Interest

  10. General Steps for Self-assessments: Read the checklists (particularly *) (PI) https://security.health.ufl.edu/VA_Research/index.shtml Assign resources to the assessment (PI) Schedule with HSC Security Office - plan for a minimum of two days (HSO, PI) Assessment - Interviews, inspection and testing (HSO, PI) Document results (HSO, PI) Recommendations for compliance (HSO) Identify availability of security services (HSO) Implement recommendations (PI) Information SecuritySelf-assessments

  11. Self-assessments – your opportunity to improve your security posture prior to certification. Certification – formal review of security controls by an objective party using interviews, inspection, testing and the documentation. Information security risks are documented as well. Accreditation – formal acceptance of the risks identified during certification and the subsequent authorization of the information system to store, process and transmit VA sensitive data. Accreditation is typically performed by an executive of the organization impacted by the risks (VA in this case.) Certification &Accreditation

  12. Questions

More Related