title slide: iu data protection & privacy tutorial · web viewthree secure methods for sharing...

30
Title Slide: IU Data Protection & Privacy Tutorial Editor’s Note: This accessible alternative was converted from a narrated PowerPoint. Any extra information from the voiceovers have been included in their appropriate place on the slide and demarcated with text: voiceover then a colon.

Upload: phamthien

Post on 04-May-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

Title Slide: IU Data Protection & Privacy TutorialEditor’s Note: This accessible alternative was converted from a narrated PowerPoint. Any extra information from the voiceovers have been included in their appropriate place on the slide and demarcated with text: voiceover then a colon.

Slide 1: OverviewAs an employee of Indiana University, YOU have a responsibility to protect the data you come in contact with every day.This tutorial is intended to provide you with an understanding of:

• The types of data IU collects and how it is classified• Your data handling responsibilities• The basic privacy laws you must comply with as an employee of the university

VoiceOver: Let’s begin by discussing data types and who may have privacy concerns.Slide 2: IU DataHere at IU, we collect and store many types of data in the course of our daily business. Some examples are…

• student information• employment records• research information• personal health information (PHI)• vendor information• e-commerce

Slide 3: IU Data (Continued)lU's students, parents, employees, alumni, donors, and other constituents expect that the data provided to IU will be protected and handled appropriately.So, how do I protect IU data???

Slide 4: You can protect IU data by…1. Knowing how IU classifies data2. Handling Data Appropriately3. Adhering to data access principles4. Knowing Privacy Laws, Regulations & Policies5. Taking Responsibility

VoiceOver: Let’s take a closer look at Data Classification…

Slide 5: Number 1 - Know how IU classifies dataThere are four data classifications to define the access, handling, and proper disposal of data.

• Public• University Internal• Restricted• Critical

Slide 6: PublicData that has few or no restrictions for access, disclosure, and disposal such as:

• Schedule of classes• Course Catalog• Employee salary information• Employee business phone or office assignment

Slide 7: University InternalData that may be accessed by employees & designated appointees of the university in the conduct of university business, such as:

• University ID• Basic building floor plans• Tenure recommendations

Slide 8: RestrictedData that requires specific authorization to access or disclose. Secure disposal is required. Examples include:

• Student class schedule, advising notes, and grades• Full date of birth, ethnicity, citizenship• Employee address and home phone

Slide 9: CriticalData that requires authorization to access and the highest level of protection!Important: Inappropriate handling of this data can result in personal criminal or civil penalties. Secure disposal is required!This would include things like:

• Social Security number• Driver's license number• Banking and credit card account numbers• Protected health information (PHI)

VoiceOver: We have discussed the 1st of 5 elements involved in protecting IU data, “Knowing How IU Classifies Data”. NOW: Let’s examineSlide 10: Number 2 - Handle Data AppropriatelyIn addition to understanding IU data classification, it is important for you to know how to...

• Access data appropriately• Share IU data securely• Store IU data securely• Transmit IU data securely• Dispose of IU data securely

VoiceOver: Let’s focus the first bullet, “Access” by placing emphasis on Protecting your IU Passphrase and Protecting your Accounts.

Slide 11: Protect your IU Passphrase!• Never share it with anyone• Never use it for other applications and services not approved by the university• Always say "NO" if prompted to save in memory• Do change it at least every 2 years

If you suspect your passphrase has been compromised, do change it as soon as possible and report it to [email protected] immediately.

Slide 12: Protect your Accounts!• Set your screen to auto lock on all systems and devices• Utilize passcodes on all mobile devices (smart phones, tablets, etc.)• Encrypt mobile devices that store institutional data and/or critical mission systems• Get technical assistance from the Knowledgebase or your Local Service Provider (LSP).

Slide 13: Share Information SecurelyYou may need to transfer or share information externally as part of your job.Three secure methods for sharing restricted data include:

1. Slashtmp.iu.edu for all classifications of data including critical data.2. Box Entrusted Data Account for restricted data.3. Box Health Data Account for protected health information (PHI) and some restricted data. VoiceOver: BOX may not be used for critical data except for a special kind of critical data called Protected Health Information

or (PHI). To share PHI data, you must use a Box Health Data Account which is managed specifically for this highly sensitive category of data.VoiceOver: You can find out more about these two Box accounts by reviewing the Knowledgebase document titled: “ At IU, how do I request a Box account for use with sensitive data? ”

Slide 14: Use Email AppropriatelyDo NOT send restricted and critical data via email unless:

• Your role requires it AND• Email will:

a. stay within IU (does not include Imail/Umail) ORb. be encrypted by the Cisco Registered Envelope Service (CRES)

VoiceOver: Keep in mind iMail and uMail are considered to be external to IU.Never ask an external party to transfer critical information to you via email (ex. social security card, driver's license, visa, tax returns, banking information, etc.)

Slide 15: Encrypt emailWhen you need to encrypt an email message using Exchange’s CRES Cisco Registered Envelope Service include the words:Secure Message OR Confidentialin the Subject line of the email messageVoiceOver: Exchange will automatically encrypt the message and send instructions to the recipient for how to unencrypt the message.

VoiceOver:Slide 16: Don't Fall for Phishing ScamsIU will never request your passphrase, SSN or confidential information via email.Be suspicious of email that asks you to enter or verify personal information thru a website or by replying to the message itself.Not sure? Here are some tips to keep you from getting hooked:

• Are you expecting an email of this nature (e.g., password reset, account expiration, wire transfer, travel confirmation, etc.)?• Does the email ask for personal info (password, credit cards, SSN, etc.)?• When hovering over links, do the hover-text link match the actual text? Do the actual links look like sites you do business with?• Click "Reply." Does the address in the "To" field match the sender?• If from an IU email account, does the header include "external- relay.iu.edu"? If so, it's likely not coming from a legitimate IU sender.

Still not sure? Want to report an attack?Send the email message along with full email headers to [email protected] .

VoiceOver: We have discussed data handling issues associated with “access” and “sharing”. Now let’s discuss a 3rd handling issue: “STORING” data.Slide 17: Never Store Sensitive Data…

• In email• Longer than required• On a webserver used to host a web site open to the public• On your mobile devices (laptop, USB flash drive, tablet, smartphone) unless the information is properly encrypted and you have written approval from the senior executive of your unit

Slide 18: Storage Options at IU• Intelligent Infrastructure-all data classifications• Slashtmp - all data classifications• Entrusted Box - restricted data or less (no critical data)• Health Data Box - ePHI critical data and some restricted or less• Sharepoint - restricted data or less (no critical data)• Canvas - restricted data or less (no critical data)• OnBase - all data classifications• Secure IU file server - to be assessed by Department

Ask questions if you are unsure of where to store sensitive information!

VoiceOver: Transmitting data securely, the 4th data handling practice is particularly relevant when working off campus.Slide 19: Working Securely from off CampusVirtual Private Network (VPN) connectionMany IU resources require a Virtual Private Network (VPN) connection if you're accessing services from off campus. IU offers both SSL and IPsec VPN connections.

• If you're unable to access a standard resource or tool you use on campus, connect to VPN and try again.• For more info see Basics of VPN in the kb article: https://kb.iu.edu/d/ajrq• Safety tip: Do not access sensitive data when utilizing a public network without encryption.

VoiceOver: Proper disposal of data is the 5th and final practice discussed in this tutorial in regard to appropriate handling of data.Slide 20: Proper Disposal

• Cross-shred paper containing critical and restricted data when no longer required for business• Shred Failed devices and media containing sensitive data including laptops/phones• Check with your campus on what shredding services are available locally (such as IU Surplus Stores)

VoiceOver: This wraps up our discussion of “Handling Data Appropriately”.

VoiceOver: OK, we’ve covered Data Classification and How to Securely Handle Data. Let’s move on toSlide 21: Number 3 - Adhere to Data Access Principles

• Access data only to conduct university business• Do not access data for personal profit or curiosity• Limit access to the minimum amount of information needed to complete your task• Respect the confidentiality and privacy of individuals whose records you access• Do not share IU data with third parties unless it is part of your job responsibilities and has been approved by the appropriate data stewards• Ask questions when you are unsure about data handling procedures

VoiceOver: The 4th way to protect IU’s data is to know important privacy laws, regulations and policiesSlide 22: Number 4 - Know Privacy Laws, Regs, PoliciesEvery IU employee should be aware of the following federal privacy laws:

• The Family Educational Rights and Privacy Act (FERPA) generally prohibits the disclosure of student education records without the prior written consent of the student.• The Health Insurance Portability and Accountability Act (HIPAA) imposes numerous, strict privacy and security requirements on protected health information.

VoiceOver: Let’s take a closer look at FERPA and HIPAA in the next 3 slides.

Slide 23: FERPA• Once students starts attending a university, privacy rights transfer from parent to student.• Written permission is required to share FERPA data with 3rd parties.• Student educational records must be restricted to school officials with a legitimate educational interest.• lU's policy for Release of Student Information details lU's procedures to provide appropriate access to student records in compliance with FERPA.• Student's annual notification lists data that may be shared without written consent (such as enrollment status, class standing, attendance dates, degree, etc., may be released to public).• Students may opt to restrict their public information via the Registrar.• For more information, see https://ferpa.iu.edu or contact the Student data steward at [email protected] .

Slide 24: HIPAAThe HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a "covered entity," regardless of medium. The Privacy Rule calls this information "protected health information (PHI)."

Slide 25: HIPAA (continued)The vast majority of IU units should maintain no personal health information (PHI) whatsoever. If you are in a unit other than the HIPAA Affected Areas (e.g., Student Health Centers, Schools of Medicine, Dentistry, Nursing, and Optometry), and you encounter records that constitute PHI, you should contact the University HIPAA Privacy and Security Compliance Office for guidance.

VoiceOver: Keep in mind, the laws discussed in this tutorial are not an exhaustive list of all laws that may be applicable to a particular set of facts in relation to data protection and privacy. Additional federal laws, federal regulations, foreign laws, treaties, executive orders, state regulations, case law, etc… may also be applicable.Slide 26: Indiana LawIndiana data protection laws also help safeguard data!Indiana law...

• Makes it a crime to disclose more than the last four digits of someone's social security number to someone outside of the university (unless specific exceptions apply)• Requires IU to notify anyone whose personal information is acquired by an unauthorized person• Provides guidance on the proper disposal of sensitive information.

VoiceOver: “Taking Personal Responsibility” is the 5th and last element we will discuss in “How to Protect IU Data”. Taking Personal Responsibility involves:Slide 27: Reporting an IncidentAll individuals are required to immediately report the following:

• Suspected or actual security breaches of information• Abnormal systematic unsuccessful attempts to compromise information• Suspected or actual weaknesses in the safeguards protecting information

You should notify UISO by phone (call until you get to a human) AND you should email [email protected]

VoiceOver: Slide 28: Data Protection is a PriorityThanks for taking a moment to review your data responsibilities and please make it a priority to protect the IU data you manage in your daily work!Additional resources on data protection and privacy can be found at:

• http://datamgmt.iu.edu/ • https://protect.iu.edu/

Slide 29: A Final NoteTo be entrusted with access to Indiana University data and systems, employees must accept responsibility for, and stay informed of, IU policies and standards of acceptable use, as affirmed in the Acceptable Use Agreement, on a biennial basis. If you have not reviewed the agreement or attested to it in the last 24 months, please take a moment to review it. Also, please note that additional system access may have other training requirements, such as FERPA and HIPAA compliance training. This tutorial does not replace these requirements.