Data Security and Stewardship Committee Cordelia Camp 101a Thursday – November 20, 2008 Present Pam Buchanan, Steve Christison, Lisa Gaetano, Larry Hammer, Debbie Justice, Mary Ann Lochner, David Onder, Bil Stahl, Scott Swartzentruber, and Leila Tvedt Absent Scott Koger and Mike Stewart Recorder Jenny Owen Handouts and Other Related Material General Updates Data Security Procedures Related to the Data Security and Stewardship Policy Policy 93: Electronic Mail Policy UNC General Records Retention and Disposition Schedule At the UNC CAUSE Conference, Bil Stahl learned that the state auditor's office is now offering forensic services for computers. Systems and Operations staff members are working on their process for implementing the new password policy. Steve Christison asked if it was possible to have the new password policy correspond with the frequency for changing the Banner password. Stahl said we would try our best to keep everything as uniform as possible. In answer to Christison’s question about where the university is with selecting encryption software, Stahl replied that no standard encryption software has been selected. Swartzentruber said vendors were being considered for providing wholedisk encryption. The committee briefly discussed the shortage of disk storage. Stahl said several different storage options were being looked at. He added that he had proposed to Dr. Carter and Chuck Wooten that folks be required to include, in their yearly budget requests, any anticipated needs for large amounts of new storage. Scott Swartzentruber gave a brief summary on the IT audit. o One of the biggest issues will probably be that our IT Disaster Recovery Plan isn’t up to date. o Auditors focused on finance systems and what our processes were. o Network scans were performed on various servers. o Auditors walked through several network wiring closets. o Auditors performed scans on Oracle (the back end of Banner). Compared to other state agencies and schools, Swartzentruber thought we should “come out pretty well.” Stahl added that having this committee in place was helpful to the audit. The auditors’ report is expected by the end of December. We have 90 days to respond to any findings in the report after the public portion of the report is published on their website on January2. The committee had a lengthy conversation about security for paper records. There are two issues with purchasing an enterprise-level imaging system to scan paper records—money and the lack of a policy. Larry Hammer reported on their document imaging system. o They are in the process of trying to upgrade the software—it’s about three versions behind. o o Action Items They have ordered the module that allows importing of documents. Currently, the imaging system only scans hard copies. There is another add-on tool that can redact social security numbers on stored images. Stahl handed out the Data Security Procedures Related to the Data Security and Stewardship Policy document that Leila Tvedt revised. Stahl asked committee members to look it over and provide him or Tvedt with feedback. Stahl is still working on revising the email policy. He said he hoped to get a draft of the policy to this committee before the next meeting. Stahl plans to meet with Systems and Operations to talk about renaming the H: drive to something more descriptive that will help the campus community to be aware that the H: drive is secure. Jenny Owen will arrange to have the UNC General Records Retention and Disposition Schedule posted on the Data Security and Stewardship Committee’s webpage.