Data Security and Stewardship Committee Cordelia Camp 101a Wednesday, May 27, 2009 Present Pam Buchanan, Steve Christison, Lisa Gaetano, Larry Hammer, Gary Jones, Debbie Justice, Scott Koger, Mary Ann Lochner, Bil Stahl, Scott Swartzentruber, and Mike Stewart Absent Zeta Smith Recorder Jenny Owen Approval of Minutes Bil Stahl made a motion to approve the minutes from the Data Security and Stewardship Committee (DSSC) meeting that was held on Thursday, April 30, 2009. There was no opposition, and the motion carried unanimously. Role of the DSSC in the University’s Disaster Preparedness Planning Action Item Stahl reported that Chancellor Bardo has established a disaster preparedness and recovery team whose objectives will be to update and revise business continuity plans across the University and to develop an all-hazards plan for the University. Stahl explained that the newly appointed Disaster Preparedness and Recovery Team will be responsible for ongoing, programmatic oversight for the University’s disaster preparedness. Stahl said there will be times when DSSC will be asked to follow up on items from the Disaster Preparedness and Recovery Team. Stahl will notify the DSSC when the University’s State IT Audit is released sometime in July. Stahl added that access control was a large part of this audit. Oversight of Policy 106 – Identity Theft Prevention Program Mary Ann Lochner talked to DSSC members about their new role in helping to oversee the University’s new Policy 106 – Identity Theft Prevention Program. Lochner explained that this new policy came about because of a federal requirement for organizations to establish identity theft programs. Since the University has a role as a “creditor” under certain circumstances, this federal requirement applied to us. The CIO (as program administrator for this policy) will be delegating to DSSC members, Policy 106-related issues. Lochner suggested DSSC members review the policy or at least to read pages 1-8. She added that several other internal policies and procedures were appended to Policy 106. The WCU Board of Trustees will formally adopt and approve Policy 106 at their upcoming meeting on June 5. The FTC gave the University until August 1 to fully implement the policy. Lochner explained how she thought the DSSC might work to help the University become compliant with Policy 106 by the August 1 deadline: o Those DSSC members, who work in the “broad areas” that would be affected by Policy 106, would help those areas to develop activities, policies and/or procedures that would make them compliant. Then those DSSC members would bring any proposed activities, policies and/or procedures to the DSSC for review. Action Item After a lengthy discussion, Lochner said she would create some standard forms for (1) vendor amendments to existing contracts, and (2) addenda to contracts that we are negotiating. These forms will be necessary in order to comply with both Gramm Leach Bliley and with Red Flag Rules. Lochner will send the draft forms to DSSC members for review.