1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy...
28
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
-
Upload
douglas-whitehead -
Category
Documents
-
view
217 -
download
1
Transcript of 1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy...
1
IT Security-related Legislation
Judy Borreson CarusoCUMREC 2004May 18, 2004
Copyright Judy Borreson Caruso, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or
to republish requires written permission from the author.
Judy Caruso
Thank you Katie.Welcome, Information Technology (or IT) legislation is a growing part of the law, with new laws being introduced regularly. For instance, before passage of the CAN-SPAM act late last year, there were 9 spam bills drafted and submitted for consideration in the US House and Senate. For the purposes of this presentation, only IT security-related legislation is included and not other IT legislation such as those affecting the telecommunications industry. Also, I want to say up-front that I'm not a lawyer so what I say is a reflection of my opinion or in some cases the opinion of my campus legal advisor. Take the advice for what it's worth and see your campus legal personnel. If your experience is like mine, when you ask for advice, the response is often, "It depends". Please hold your questions to the end of the presentation. However, I do reserve the right to answer all questions with "It depends"!
2
Judy Caruso
In this caroon, the man at the computer asks himself "Should I answer this questionnaire about Internet privacy?" The computer responds, "Don't bother. We already know how you feel." This cartoon demonstrates the importance of protecting privacy on the internet. Some of the security-related legislation is directly aimed at protecting privacy when doing electronic commerce. Other legislation is related to protecting confidentiality and some at protecting copyright. By the way, the use of this cartoon might be a copyright violation! We asked the author for permission but never received a response.This is an example of copyright violations that occur every day. The goal today is to enlighten you regarding IT security-related legislation and to help you become as compliant as possible.
3
Presentation Outline
• IT Security-related Legislation – what is it?• Why now?• Impact on HE• General overview of legislation• Focus on a few laws related to E-signature• How HE is responding• What you should do• Resources
Judy Caruso
The outline of this presention begins with an explanation of what is IT security-related legislation. Then a discussion of why so many laws are being enacted at this time will follow. For assistance in understanding all the acronyms there are several handouts - 1 bubble diagram in color, a listing of the laws and a glossary of definitions.How these laws impact Higher Ed will be presented next. Since we're limited to 50 minutes only a few of the laws will be focused on in more detail. The laws that will be discussed in more depth are the E-signature provisions of FERPA, the Family Education Rights and Privacy Act and Student Loan Regulations, E-Sign Act, the Electronic Signatures in Global and National Commerce Act and UETA (Uniform Electronic Transaction Act). How some educational institutions are responding will be presented next. And last,there will be some advice on how you should get started at your institution and some resources that can help will be identified.
4
IT Security-related Legislation – what is it?
• Includes laws, administrative code, FTC regulations, rulings, etc.
• Focus on Internet
• No such thing as “Internet Law”
• Disparate laws – Federal and State
• Confusing relationships between them
• Limited case law
Judy Caruso
In this presentation,the terms laws and legislation are being used loosely. Legislation refers to any legally binding action including FTC rulings, DOE regulations, Congress-enacted laws, and other related actions.All this recent legislation (from about 1996 to the present) has started since the rise of internet use - especially since the commercialization of the internet. While some legislation is focused on the internet - there is no such thing as a comprehensive set of internet legislation. Instead there is a confusing set of laws (both federal and state) with complex interrelationships between them. And to make it even more difficult there isn't much case law. There is some case law on FERPA which will be presented later in this presentation. And most recently there was a ruling by a federal court regarding the fast track subpoena provisions of DMCA, the Digital Millenium Copyright Act .
5
Why now?
• 9/11 fallout
• Explosion in Internet use
• Commercialization of the Internet
• Web usage – easy to violate copyright
Judy Caruso
Why is there all this legislation now? There is the 9/11 fallout. After 9/11 the Congress of the United States began passing a number of laws that broaden the powers of the police in obtaining access to confidential information. The first was the USA Patriot's Act which was passed just 6 weeks after 9/11. There have been revisions and other laws since. In fact the Patriot Act is being reviewed at this time. Since the commercialization of the Internet in the mid-1990s there has been an explosion in Internet use. This explosion has made people easy targets for electronic advertising and spam. Also, it's easier than ever to copy materials inappropriately and violate copyright laws. The cartoon used earlier, for example, was obtained from the Internet.
6
Why now?
• Increased interest in:– Protecting confidentiality and privacy– Protecting copyright
• New technologies enable:– Spam– Peer-to-peer– Viruses/worms/hacks
Judy Caruso
Also, now there is more interest than ever in protecting confidentiality and privacy. We are all worried about identity theft, for example. Legislation recently passed that protects confidentiality and privacy includes HIPAA (Health Insurance Portabilty and Accountability Act), ECPA (Electronic Communications Privacy Act), Gramm-Leach-Bliley Act (GLBA), and recent updates to Federal Trade Commission (the FTC) regulations.Laws protecting copyright have undergone many revisions - origins of copyright are 200 years old. Significant legislation was enacted in the 1970s. There have been many changes since. In November 2002, Congress passed the TEACH Act, the Technology Education Harmonization Act which extends the copyright exemption for educational use, to make it easier for accredited nonprofit colleges and universities to use materials in electronic form. We also now have new technologies that make mischief and illegal use relatively easy. For example, obtaining email addresses and sending spam is easier than ever. Peer-to-peer technology has enabled the ability to share and distribute copyrighted materials such as audio and video productions. Viruses/worms/hacks are the result of the ease by which the developers can obtain access to your workstations and servers via the Internet.
7
How do they impact higher ed?
• Often created for other industries– HIPAA for health insurance– GLBA for financial
• Higher Ed is in multiple industries– Loans– Health care– Debit cards– Publication– Research discovery– Education
• Need legal counsel/audit
Judy Caruso
Much of the recent legislation is directed at industries other than higher education. HIPAA was created for the health insurance industry. Gramm Leach Bliley Act was intended for financial institutions. Yet, higher ed is impacted.This is largely because higher ed is in multiple lines of business. We have student and employee loan programs, we provide health care services. We operate debit card services. We create publications. We make patentable research discoveries. And, of course, we provide education.If you don't have campus legal services to help you through this flood of legislation, you should consider obtaining advice from an attorney. The IT policy and security staff at UW-Madison work closely with the UW-Madison attorney who oversees the information technology area and with Internal audit.In this presentation so far, some recent IT security-related legislation and how they impact higher education has been covered. Next we will walk through a diagram of some of the recent legislation at the 10,000 foot level.Using the colored bubble diagram handout, please follow along. The legislation and the acronymns are on the other handouts.
8
FERPA
Prepared by Judy Caruso, [email protected] Copyright © 2004, University of Wisconsin Board of Regents
Overlap Among IT Security-Related Laws
in the beginning there was FERPA...
Judy Caruso
Starting at the beginning, we have to talk about FERPA - the Family Education Rights and Privacy Act. Most of you are pretty familiar with FERPA. This law has been updated many times. Most recently with the Department of Education esignature rule which is effective next week on May 24. This will be discussed in more depth later in this presentation.FERPA has been around long enough for there to be some case law surrounding it. For example, a recent ruling found that an individual doesn't have the right to sue a school on the basis of an alleged FERPA violation. But the Department of Education's Family Policy Compliance Office has the power to rule on FERPA violations and can terminate federal funds to schools who fail to comply.Additional laws have been added that interact with FERPA.
9
FERPA GLBA
UETAE-SIGN
SOX
CAN-SPAM
BusinessProcesses
ElectronicRecords
Prepared by Judy Caruso, [email protected]
Copyright © 2004, University of Wisconsin Board of Regents
Overlap Among IT Security-Related Laws
Judy Caruso
These laws can be confusing and overlap as shown in the diagram.Starting with an overview of laws that are related to business processes and electronic records. The common thread between these laws is protecting privacy and confidentiality. And they can include security practices. Several of these laws (CAN-SPAM, GLBA, UETA, and ESIGN) also have a requirement that you must have the consent of the person you're doing business with electronically.CAN-SPAM became effective in January 2004. The first test of the law occured in late April when four Oakland County Michigan men were charged with violating this law. They currently face criminal charges. Today, two of the four face a hearing on the complaint. It will be interesting to watch how this case progresses.GLBA, Gramm Leach Bliley Act requires businesses to create a security program in order to safeguard customer information. This law's objectives are to insure security and confidentiality of customer information and to protect the information from threats or unauthorized access.Another of these laws is UETA - the Uniform Electronic Transactions Act. This is a law that has been passed by 44 states. Wisconsin passed it recently, in April 2004. It interacts directly the federal E-Sign law. These laws will be discussed in more detail later in the presentation.
10
FERPA GLBA
UETAE-SIGN
SOX
U.S.A. PATRIOT Act
CAN-SPAM
CDC Select Agent
Program
Bio-terrorism
Protection Act
BusinessProcesses
Anti-Terrorism
ElectronicRecords
Law EnforcementPrepared by Judy Caruso, [email protected]
Copyright © 2004, University of Wisconsin Board of Regents
Overlap Among IT Security-Related Laws
ECPA
CFAA
Judy Caruso
The next area of legislation are those laws related to law enforcement and anti-terrorism. Many of these laws were enacted as a response to the 9/11 attack and the heightened concern in protecting our country from terrorism. They impact higher education. For example, the USA PATRIOT ACT under certain conditions prohibits institutions from revealing the very existence of law enforcement investigations. This is the law that required the INS (the Immigration and Naturalization Service) to create SEVIS, the Student and Exchange Visitor Information System.The ECPA, the Electronic Communications Privacy Act prohibits use or interception of the contents of wire, oral, or electronic communications. It is an interesting law in that it doesn't protect against disclosure that the communication occurred so it could make it ok to monitor personal network use. This law along with the USA Patriots Act broadens the authority of law enforcement officials to obtain infromation. ECPA is beginning to have some case law.The CFAA - Computer Fraud and Abuse Act is what is often referred to as the "hacker law." It criminalizes unauthorized access to a protected computer with the intent to obtain information, defraud, cause damage, or obtain anything of value. It is directed at interstate or foreign commerce by financial institutions or government. Both the CFAA and ECPA are criminal statutes.
11
FERPA GLBA
UETAE-SIGN
SOX
U.S.A. PATRIOT Act
DMCA
CAN-SPAM
CDC Select Agent
Program
Bio-terrorism
Protection Act
TEACH
Copyright
BusinessProcesses
Anti-Terrorism
Instruction
ElectronicRecords
Law EnforcementPrepared by Judy Caruso, [email protected]
Copyright © 2004, University of Wisconsin Board of Regents
Overlap Among IT Security-Related Laws
ECPA
CFAA
Judy Caruso
The third area of legislation are those laws related to instruction and copyright. Major copyright legislation was passed in the 1970s and it's been updated and amended many times.The DMCA, the Digital Millenium Copyright Act of 1998 requires each internet service provider to name a Designated Agent and to adopt and implement policies for removing copyrighted material from internet access. This is the law under which the Recording Industry Association of America (RIAA) and the motion picture association and others send complaints of potential copyright violations. There is just beginning to be some case law associated with DMCA. At issue in a recent federal court ruling was the validity of the fast track subpoena provision which enables a subpoena to be signed by a clerk rather than a judge. The court ruling found that "the special, fast track subpoena provision of the DCMA on which the recording industry had been relying did not apply in cases in which the copyrighted material is stored on computers that are beyond the service provider's reach." This means, that, we in Higher Ed, as service providers for our students can't be expected to respond to the fast track subpoenas as our student's computers are beyond our reach. This means that the recording industry can seek copyright violator's names only through conventional legal procedures. This will cost the recording industry more time and money. This ruling is being challenged in the courts.One of the interesting outcomes of peer to peer file sharing and DCMA is that it's forcing the RIAA and others to re-examine their business models. Since sales of DVDs and CDS are down, these organizations must find a way to generate revenue. This has also created an opportunity for institutions to evaluate what services to provide to students. Penn State, for example, purchased the Napster Service to provide its students with legal copies of music. At UW-Madison we're not considering offering such a service to our students at this time but many institutions are.Finally the TEACH Act (Technology Education and Copyright Harmonization Act) passed in 2002 makes it easier to use materials in a technology-oriented instructional environment. TEACH is a law that is being interpreted differently at different institutions. At UW-Madison we're not really using this law but utilizing the "fair use" doctrine as our copyright guide.
12
FERPA
HIPAA
GLBA
UETAE-SIGN
SOX
U.S.A. PATRIOT Act
DMCA
CAN-SPAM
CDC Select Agent
Program
Bio-terrorism
Protection Act
TEACH
Copyright
BusinessProcesses
Anti-Terrorism
Research
Instruction
ElectronicRecords
HealthHuman
Subjects
Law EnforcementPrepared by Judy Caruso, [email protected]
Copyright © 2004, University of Wisconsin Board of Regents
Overlap Among IT Security-Related Laws
ECPA
CFAA
Judy Caruso
The last area of legislation is Research and Health related. HIPAA, the Health Insurance Portability and Accountability Act is a very confusing piece of legislation. Hospitals, clinics, health care providers and insurance plan services have been working hard over the past few years trying to get into compliance. The privacy portion of the law required compliance by April of 2003. You notice these efforts whenever you go to the clinic and are asked to sign confidentiality-type forms. For higher education, the privacy part of the rule is not too difficult because, for students, if you're compliant with the FERPA privacy rules, you're compliant with the HIPAA privacy rules. The second part of HIPAA is the Security Rule - compliance is required by April 2005. UW-Madison and many other institutions are trying to ensure we meet this rule's requirements in time. Institutions and businesses are spending lots of money in order to be HIPAA compliant. At UW-Madison, for example we've hired a full-time attorney as our HIPAA Privacy Officer. if you haven't heard of HIPAA - you probably aren't affected by it.There is also a lot of legislation in the Human Subjects area.Now we've walked thorugh an overview of legislation. Next the complexities surrounding e-signature and how it affects our business processes and electronic records will be explained in more depth. Also, how institutions vary in their approach and their interpretation on what needs to be done will be presented.
13
E-Signature Legislation
• Student Loan E-Signature Regulations
• FERPA E-Signature Regulations
• E-Signature Law (E-sign)
• UETA– Uniform Electronic Transactions Act
• All procedural statutes
Judy Caruso
The E-signature legislation to focus on includes the rules added to Student Loans, FERPA e-signature regulations, E-signature Law and UETA Uniform Electronic Transaction laws. All of these laws are procedural statutes.
14
E-Signature Rules for Student Loans
• Issued by Department of Education – 2001
• Creates standards for E-Signatures in Student Loan transactions
• Created a FAFSA-PIN service (Free Application for Federal Student Aid)
Judy Caruso
The interaction of these E-signatures laws is complex. 2 Department of Education rules related to e-signature are worth noting. First, after E-Sign was passed the Department of Education issued standards for electronic signatures in electronic student loan transactions. They supported those standards with the FAFSA-PIN service which allows students to have personal identification numbers that they can use for signing student loan documents.+
15
E-Signature modification to FERPA
• Proposed in 2003 – effective May 24, 2004• “Signed and dated written consent” may include
a record and signature in electronic form. It must:– Identify and authenticate a person as the source of
the consent– Indicate the person’s approval Technology neutral
• Refers to student loan standards as acceptable standard
• Specifically acknowledges the existence of the E-Sign Act
Judy Caruso
Second, also important to higher ed, is the recent Dept of Education ruling on e-signatures and FERPA. This rule is effective next week - on May 24. The rule simply says that "Signed and Dated written consent may include a record and signature in electronic form that identifies and authenticates a particular person as the source of the electronic consent and indicates such person's approval of the information contained in the electronic consent." The regulators took a technology neutral approach in this rule, but in their comments they specifically mention that electronic signatures as implemented for student loans would be an acceptable solution for FERPA. Also this FERPA E-Signature Rule specifically acknowledges the existence of the Electronic Signature Act.
16
E-Sign Act (Electronic Signatures in Global and National Commerce)
• Signature, contract or other record may not be denied legal status solely because it’s in electronic form
• Has consent requirements
• State governments cannot pre-empt unless they do so by passing UETA
Judy Caruso
Next, if you look at the E-Sign, the Electronic Signatures in Global and National Commerce Act of 1995. It states that "a signature, contract or other record may not be denied legal status solely because it is in electronic form". It also has consent requirements. There are complex provisions for how the act applies to Federal and State governments.
17
UETA – Uniform Electronic Transaction Act
• State law – passed by 44 states
• Allows use of electronic records and electronic signatures
• Drafted specifically to remove barriers to electronic commerce
Judy Caruso
And the last electronic signature related law is UETA - The Uniform ELectronic Transaction Act. It is a law that's currently been passed by 44 states. It allows use of electronic records and electronic signature transactions. It's fundamental purpose is to remove perceived barriers to electronic commerce. It's a procedural statute. It was drafted specifically for states to enact uniformally - hence the name. It was created by the Uniform Law Commissioner in 1999
18
How do these e-signature rules/laws interact?
• UETA/E-Signature overlap– UETA has provisions not in E-Sign– E-Sign has provisions not in E-Sign– E-sign permits states to pre-empt E-Sign if
they passed UETA– Both are technology neutral– Both require consent but E-Sign goes further
Judy Caruso
So what about these examples of electronic signature legislation? How do they interact? When federal and state laws overlap as E-Sign and UETA do, the federal law takes precedence unless stated otherwise in the legislation. In this case, the federal E-Sign law recognizes the existence of UETA. It notes that a state may pre-empt E-Sign "only if such statue, regulation, or rule of law constitutes an enactment of adoption of the UETA as approved and recomended for enactment in all the States." Both of these laws are technology neutral. They also both contain consent requirements.
19
How do these e-signature rules/laws interact?
• E-Sign extension to Student Loans/FERPA– Student Loans rule from 2001 is referred to in
FERPA rule– For student records, some institutions already
implemented e-signature before the FERPA change
– It’s more specific than E-Sign but refers to it• E-Sign Law and FERPA E-Sign rule
– Both have consent requirements
Judy Caruso
The Department of Education ruling on E-signature standards for student loans was used as an approved example in the recent FERPA e-signature rule. Even before this recent extension of FERPA to electronic signatures, some institutions implemented e-signature features with their student records. They decided to do so because FERPA didn't prohibit electronic signatures and E-Sign allowed them. Obviously, these institutions weren't challenged. The FERPA ruling seems to be consistent with E-Sign in the area of consent. Both require consent of the individual in order to transact legally binding records electronically. One way you see this consent is in Internet sales when you see a message that asks if you indeed want this amount charged to your credit card and you have to click a button that says OK, Charge me.
20
How are institutions implementing E-Signature?
Judy Caruso
Many institutions are utilizing the FAFSA-PIN from the Department of Education student loan regulation for obtaining electronic signatures for their Stafford loans. This web site is the Department of Educations' site for student PIN registration. Before the students can complete the electronic signature for Stafford Loans they must register here.In reviewing university financial aid web sites, it appears that many of them link to the DOE site. Many also direct students to student loan service providers such as Sallie Mae, Educaid, and EdAmerica for actually completion of the electronic signature of the loan.It's difficult to find what other institutions are doing for electronic signatures for other student record processing on the web. It is likely, though, that many institutions are using web transactions utilizing electronic signatures with student records or are planning to do so soon.
21
What we’re doing at Wisconsin
• Discussing!
• Consent for each individual transaction or for a group of transactions?
• Do E-signature and FERPA e-signature laws complement each other?
• When in doubt – ask consent
Judy Caruso
So how are we reponding to e-signature legislation at Wisconsin? For student loans we utilize a student loan service provider at UW-Madison for electronic signature for Stafford loans. For other electronic signatures, we are in discussion among the UW System institutions. The debate centers around which business transactions are subject to the E-Signature law. One thing we seem to agree on is that, when in doubt, consider if you need consent of those you're doing e-transactions with. We're only beginning to discuss the new FERPA rule regarding e-signatures- even though it is effective next week. We're trying to understand what the implementation consequences would be. We will be continuing this discussion over the next few months.
22
Institutional approach and costs
• Dedicate staff• Get a lawyer/security officer/internal audit• Compliance penalties• Cost of a breach
– Real $– Institutional reputation– Cost of communication– Loss of trust
Judy Caruso
When you review the complexities of the e-signature legislation and all the other security-related legislation, you may struggle figuring out what to do and what it will cost the institution. It is useful first to fund staff who can be dedicated to this work. At UW-Madison, we've dedicated approximately one FTE to IT policy-related work. Make sure your campus has an attorney, a security officer.Also an internal auditor can be helpful. Some of the laws, such as the Bioterrorism Select Agents law has personal as well as institutional penalties.And finally, the real cost occurs when someone's privacy/confidentiality isn't protected and information is released. There is a big cost in recovery. There are a number of articles regarding the institutional cost of a security/privacy breach. Also consider the institutional reputation. There is certainly a cost if you lose public credibility. There is a cost to inform those who may be affected. For example, there is a CA law that requires this. And, of course, the loss of trust about the institution and its processes can be very costly.
23
Overall steps you can take
• Overall:– Involve CIOs/ Institution Executives– Discuss with campus legal, auditors, security
officers– Work with functional users
Judy Caruso
Now, here are some suggestions on how you can work toward compliance with all these regulations. First, know what would work at your institution. Involve the CIO and institutional executives. This is an institutional issue, not just an IT issue. Form a good working relationship with your campus legal office, auditors and security officer. It's also important to include the functional users. They are responsible for their data systems and the processes surrounding them.
24
Steps you can take
1. Institutional assessment
2. Review what other institutions are doing
3. Look at advice from EDUCAUSE, NACUBO, etc.
4. Review state and local law, as well as federal
Judy Caruso
There are a number of actions you can take as you move toward compliance of these laws. Doing an overall institutional security assessment can give your institution a good picture of where they stand. Look at what other higher ed institutions are doing, especially your peer institutions. They are likely facing the same difficulties you are in getting compliant. There is a wealth of advice from EDUCAUSE, NACUBO and other organizations that can help you improve security at your institution. State and local law as well as federal law needs to be reviewed. While federal law usually takes precedence, there are times when state laws are more stringent and they apply.
25
Steps you can take
5. Create security policies and best practices
6. Assess individual systems/procedures• Printing SSN’s• Sending un-encrypted patient information• Data warehouse use• Obsolete authorizations• Etc.
7. Assess system integration processes/procedures
Judy Caruso
One of the challenges in creating security policy and best practices can be the institution itself. At UW-Madison, for example, we have a very decentralized governance and culture. There are very few institution-level policies. It wasn't until this past winter that we could require all devices connected to the campus network to run anti-virus software. And that was hotly contested! Instead at UW-Madison we tend to focus on procedures and best practices. It would take us potentially years for a policy to go through the various governance committees. One case where we created procedures was in the implementation of the USA PATRIOT Act. We established procedures so that if someone with a badge shows up at 3:00 AM at the data center and asks for data we don't have the operators deciding what to do. They just follow the procedures.A best practice we've implemented in the central IT organization at UW-Madison is the signing of two forms by all staff. These forms are the IT Appropriate Use Guidelines and Protecting of Confidential Data. While we implemented this in our department, this hasn't become a standard campus-wide due to the decentralized nature of the campus.Review your individual systems and procedures and your system integration processes and procedures. Do they adequately protect confidential information? For those systems with personal health information, for example, this assessment is extremely important in order to be compliant with HIPAA.Social security numbers are required to be protected by a number of state laws. So actions must be taken to protect them. But also consider little things - like printing a report with SSNs to a shared printer. Can anyone walk by and pick up the document? Look at encryption as a mechanism for protecting confidential data. Is your data warehouse data as secure as the original source data? Review your processes for ensuring the staff only have access to the data they need to do their jobs. Look at how staff authorizations are removed or how authorizations change when they change jobs. Also, look at your architecture for integrating systems and make sure it's secure as well.
26
Steps you can take
8. Educate staff regarding copyright, laws, protecting confidentiality/privacy
9. Understand interaction between electronic records and physical security – work with police
10. Prioritize - addressing those areas with the greatest problems and largest vulnerabilities first
11. Monitor and enforce policies/procedures
Judy Caruso
Faculty, staff and student education is critical. Educate them about copyright, FERPA and protecting confidentiality and privacy. Ongoing education is essential even for technologists. While our central department staff signed the Appropriate Use and confidentiality forms, they forget so quickly and easily. At UW-Madison we are trying to do a lot of awareness and training on campus. We have a few minutes with incoming students during summer orientation and we provide posters and brochures telling students what is appropriate. For HIPAA, we created online training modules that are required of all staff handling Personal Health Information.Also, physical security plays a role in protecting our electronic records. Working with police can help reduce the risk.It's important to prioritize your efforts. You should address those areas with the greatest problems and the largest vulnerabiltiies first.Monitoring and enforcement of polices and procedures are very important. Without this, don't bother with the policy. As my legal partner advises, policies that aren't enforced put you at greater risk than no policy at all. If you get audited, you will be criticized for not enforcing existing policies. If you get sued, you may be considered even more negligent if you had policies that you didn't enforce.
27
What to do first
• Institutional assessment:– Who’s working on this?– Overall compliance
• Education and training
Judy Caruso
The recommendation is that you begin by assessing where your institution is at. Who's working on this? If everyone is, then maybe no one is! Do an overall assessment - look at risk, vulnerabilities, policies and procedures. Also, begin with education and training of all campus users - faculty staff and students. Not surprisingly, most security problems are caused by people.
28
Resources
• http://wiscinfo.doit.wisc.edu/policy • http://www.sce.cornell.edu/exec/cpl.php• http://www.educause.edu/cg/security.asp• http://educause.edu/policy• http://www.sans.org/resources/policies• http://www.utsystem.edu/ogc/intellectualproperty/• http://www.itc.virginia.edu/pubs/docs/RespComp/
resp.comp.html• http://www.doit.wisc.edu/security/policies/rules.asp
Judy Caruso
Thank you for your attention today. This presentation was an overview of security-related legislation affecting higher ed. The handouts provided and these reference URLs can help you solve the legislation puzzle. I also want to thank my UW-Madison colleague, Gary DeClute for his drafting of the handouts you have today and for his assistance in creating this presentation. And now, I'd like to open up the floor to questions from the audience. Do you have any questions?
