A Blueprint for Handling Sensitive Data: Security, Privacy, and Other Considerations

Information security risks at colleges and universities present challenging legal, policy, technical, and operational issues. According to a recent study by the EDUCAUSE Center for Applied Research (ECAR), security incidents have resulted in compromises of personal information which have led to bad publicity and the potential for identity theft. Among the steps to protect sensitive data include an information security risk management program, data classification policies, clearly defined roles and responsibilities, awareness programs, and technology solutions among other interventions. This seminar will outline a blueprint for protecting sensitive data according to the EDUCAUSE/Internet2 Security Task Force.

Intended Audience

This seminar is designed for the following audience:

Presenters

H. Morrow Long
Director, Information Security Office
Yale University

Krizi Trivisani
Chief Security Officer
George Washington University

Resources

Tools

• Confidential Data Handling Blueprint
• Data Classification Policies
• Data Incident Notification Toolkit
• Disclosure Notification Flow Chart (Yale University)
• Information Security Governance (ISG) Assessment Tool for Higher Education
• Model Security Policy
• Risk Assessment Framework

Articles

• "A Unified Approach to Information Security Compliance" by M. Peter Adler, EDUCAUSE Review (2006)
• "The Privacy and Security Policy Vacuum in Higher Education" by Fred H. Cate, EDUCAUSE Review (2006)
• "Presidents and Campus Cybersecurity" by Joy R. Hughes and Jack Suess, EDUCAUSE Review (2005)
• "Addressing Information Security Risk" by Mohammad H. Qayoumi and Carol Woody, EDUCAUSE Quarterly (2005)
• "Security Breaches: Notification, Treatment, and Prevention" by Rodney Petersen, EDUCAUSE Review (2005)
• "The 'Zen' of Risk Assessment" by Cedric Bennett and Richard Jacik, EDUCAUSE Quarterly (2005)