Kick off Meeting Presentation to Framingham State Information Security Council


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Kick off Meeting Presentation to Framingham State Information Security Council

  1. 1. Information Security Program<br /> Program Elements<br /> Administration and Oversight<br /> Information Security Council<br /> Getting Started – Next Steps<br /> Logistics<br />
  2. 2. Information Security Program<br />Umbrella framework for the ongoing stewardship of personal information, risk management and compliance efforts<br />Developed in order to comply with stated or implied mandates as specified by multiple legal statutes, regulations, executive orders and contractual agreements<br />Incorporates recommendations from the Commonwealth of Massachusetts Office of the State Auditor<br />Formally establishes information security as an institutional priority and a shared responsibility among all academic departments, administrative offices and third party service providers<br />Establish and maintain ongoing practices that mitigate potential financial, legal, operational, and/or reputational consequences of a security breach, system failure, and non-compliance<br />
  3. 3. Program Elements<br />Records Management <br />Access Controls<br />Technical and Operational Safeguards<br />Procurement Standards<br />Workforce Hiring and Ongoing Training<br />Risk Management<br />Incident Response<br />
  4. 4. Program Administration & Oversight<br />President’s Council (joint oversight of institutional provisions)<br />Information Security Council*(implements, reviews and updates the Program with input and involvement from relevant administrative offices, academic departments and third party service providers)<br />Vice Presidents (ensure appropriate and auditable information security controls implemented within division and job descriptions include individual responsibilities related to information security)<br />Cross Functional Administrative and Student InformationManagement Team (develops, recommends, and implements approved policies that support broad institutional commitment to stewardship of institutional data)<br />Data Incident Response Team (determines what follow-up may be required in response to any major or significant incident that warrants investigation including triage, escalation, and/or notification)<br />
  5. 5. Information Security Council<br />Develop action plans based on third party risk assessments, compliance audits and applicable mandates <br />Provide relevant administrative offices and academic departments with support and guidance<br />Ensure that general awareness and training is made available<br />Identify and address (accept, mitigate or transfer) reasonably foreseeable internal and external risks to the security of protected information and systems<br />Evaluate the effectiveness of safeguards for controlling these risks<br />Regularly monitor and evaluate the effectiveness of applied aspects of the Program at least annually, or whenever there is a material change in administrative practices and/or academic programs that may have implications for the security or integrity of PI<br />
  6. 6. So Where Do We Start?<br />Develop and/or Update Policies<br />Develop and Rollout Annual Awareness and Training<br />Implement an Identity Management Solution<br />Complete Remaining Payment Card Industry Data Security Standard (PCI DSS) Remediation<br />Complete Annual PCI DSS Risk Assessment and Attestation of Compliance<br />
  7. 7. Policies<br />Records Management<br />Online Identity Management*<br />Data Stewardship<br />Security Breach Response Plan*<br />Payment Processing<br />
  8. 8. Awareness and Training<br />Increase Awareness - Students<br />Inform and Build Knowledge – Faculty and Staff*<br />Application of Knowledge – Faculty and Staff<br />Master Concepts, Rules and Regulations – Faculty and Staff<br />
  9. 9. PCI DSS Remediation (Complete by March 31st)<br />Documentation of Policies and Procedures<br />Awareness and Training<br />Administration of Access Privileges<br />Implementation of Technical and Operational Safeguards<br />Develop and Communicate Incident Response Plan for Suspected or Actual Security Breach<br />
  10. 10. PCI DSS Compliance (Complete by April 30th)<br />Lighthouse Audit (Begins April 1st and Ends April 30th)<br />Documentation of Policies and Procedures<br />Documentation of Payment Processing Environment<br />Network Scanning and Vulnerability Test Results<br />Interviews<br />Walkthroughs<br />Third Party Certifications of Compliance<br />Self-Assessment Questionnaire and Attestation of Compliance<br />
  11. 11. Logistics<br />Scheduling of Meetings<br />Collaboration Outside of Meetings<br />Gathering Input from the Community<br />Communicating Out to the Community<br />