Data Security and Stewardship Committee Cordelia Camp 101a Monday – November 3, 2008 Present Pam Buchanan, Steve Christison, Lisa Gaetano, Larry Hammer, Scott Koger, Mary Ann Lochner, David Onder, Bil Stahl, Mike Stewart, Scott Swartzentruber, and Leila Tvedt Recorder Jenny Owen Handouts and/or other Related Information Data Handling Procedures Related to the Data Security and Stewardship Policy Effective Campus Data Security (attached to an email Bil Stahl sent to committee members prior to this meeting) General Information Bil Stahl reported that the IT audit starts next week. He said that having the Data Security and Stewardship Committee in place was very helpful. Because of a reduced budget, the auditors’ time here will be limited. Data Handling Procedures Stahl handed out a document entitled Data Handling Procedures Related to the Data Security and Stewardship Policy. He explained that he had drafted this document in preparation for the upcoming IT audit. Because the University’s email is the official means of communication and because the University’s email is outsourced, Stahl asked if there was anything we should tell the campus community not to email. Mary Ann Lochner said that even though University email is an official means of communication, we still shouldn’t email certain types of confidential information—that we might consider modifying Policy 93: Electronic Mail Policy to clarify that. Action Items Stahl asked committee members to look over the Data Handling Procedures Related to the Data Security and Stewardship Policy and provide him with any feedback. Leila Tvedt agreed to rewrite parts of the Data Handling Procedures Related to the Data Security and Stewardship Policy to make it more understandable for lay people. Stahl agreed to Scott Koger’s suggestion of referencing existing policy links within the Data Handling Procedures Related to the Data Security and Stewardship Policy so it will remain current when policies that are referred to in the document are modified. The group agreed that the Data Handling Procedures Related to the Data Security and Stewardship Policy should be attached as a procedure to Policy 97: Data Security and Stewardship Policy. Stahl agreed to modify Policy 93: Electronic Mail Policy to incorporate Swartzentruber’s suggestion about pointing to secure portals or links within emails that reference confidential information. Stahl will email a draft of the Policy 93 revision to this committee to review before he presents it to the IT Policy Council. Effective Campus Data Security Stahl bounced the following idea to the committee: “When we look down the road at technology such as cloud computing, it seems that it is becoming much more apparent that we can only control things with policies--that there is very little of what we will be doing that can be controlled with technology.” The committee discussed how to get the campus community started on that level of education. Comments: o Require training as people are hired. o General security awareness training is being required of all university employees. o If we change from technology based to policy based, will it hold up during litigation? o Re-label the H drive to the “secure drive” so people can better understand. o The phrase “train and trust” is becoming more common. o Look at similar institutions to see if there is a general place where you can see what kinds of technology they have. o We have implemented good policies, but we haven’t educated the university community about the policies. Action Items Stahl will ask that the Effective Campus Data Security document be presented for approval to the Executive Council in the very near future. Stahl agreed with Tvedt’s idea of having a consolidated location where overviews of all the IT policies and procedures can be read. He will arrange to have this aggregated onto IT’s website along with frequently asked questions. Koger added that Cornel University had a “slick model for aggregating policies” that Stahl might want to look at.