
<HR>
<H2>Security Task Force Summary</H2>
<HR>
<BR>

The Security Taskforce convened meetings in November and December
of 2006.  Tim Miller and John Kemp were the co-chairs of this task force.
Other members in attendence were: Stephany Freeman, Troy Meyer, Jon
Miyake, Josh Ward, Jose' Dominguez, Steve VanDevender, and Jason Edmiston.
<P>

The primary topics of focus for this set of meetings were the
two topics of 1) Data Security, and 2) Education, Awareness, and Training.
Other large scale initiatives were also discussed.  These are the 
recommendations that came out of these meetings.
<P>

<BR>
<HR>
<H3> Data Security Related Recommendations </H3>
<HR>
<BR>

 <LI><B>Risk Assessment</LI></B><BR>

The campus should schedule regular 
assessments to discover unprotected sensitive data.  These assessments may be performed internally, or externally.
The results of these assessments should help guide the future direction of security
initiatives on the campus.
<P>

The Business Intelligence Initiative made significant progress in producing 
a data assessment.  This process should be taken to completion by analyzing the
risk associated with this information.  The Risk Assessment should become an
institutionalized procedure which takes place on an annual or bi-annual basis.
<P>
 
 <LI><B> Data Security Policy </LI></B><BR>

As part of an overall security plan, the campus should establish a clear
policy addressing data security.  This policy should clearly define what sensitive
data is, and provide guidance for the correct handling of sensitive data.  An example
of some of the policy requirements has been generated.
<P>

The next step in this process would be to organize a committee to produce the
Data Security Policy draft.  This process should begin as soon as possible.  Some
of the members of the Security Task Force would be beneficial to this committee.
<P>

 <LI><B> Data Security Procedures</LI></B><BR>

Related to the policies defined above, employees and administrators should be
provided with a guide book which describes procedures for the proper handling
of senstive data.  This procedures should be given to new employees who have 
data handling positions.  Existing employees should also have the opportunity
to receive this information.
<P>

 <LI><B> Data Encryption Usage</LI></B><BR>

Departments should be required to employee encryption for the storage of
sensitive data.  In the case of laptops with sensitive data, departments should be required
to use full disk encryption on these laptops.  In the case of desktops, tools such
as Microsoft EFS, or similar File/Folder encryption utilities could be employed.
<P>

Encouraging and supporting the use of EFS, as part of an internal
Microsoft PKI infrastructure, could help speed up this process.  Currently
Network Services and the Registrar's Office are testing this kind of solution
to determine suitability to this environment.
<P>

The Security Group is also testing a number of commercial and free products
which could be used to provide encryption support.  These products include:
TrueCrypt, PointSec, Credant Mobile Guardian, Utimaco Safeguard, Waves
Embassey Suite, AxCrypt, and Microsoft BitLocker.  The brand of product is
not so significant; requiring that sensitive data be encrypted is significant.
<P>

<BR>
<HR>
<H3> Education, Awareness, and Training Related Recommendations </H3>
<HR>
<BR>

 <LI><B> System Administration Training</LI></B><BR>

System administrators on campus should be given the opportunity to take 
part in security training on at least an annual basis.  Detailed
training on Windows Server Security is highly desirable.  This type of 
training is also important when new technologies are released.  Several vendors
have been identified by this task force which could provide this type of training.
<P>

 <LI><B> New Employee Security Awareness</LI></B><BR>

Employees should be informed of general security issues during orientation.  This
could include handouts, or a brief presentation by a designated trainer.  Human Resources
and the Registrar's Office could play an important role in assisting in the implementation
of this training.  It is recommended that a process is begun to work on making this kind
of resource available.
<P>

 <LI><B> Existing Employee Security Awareness</LI></B><BR>

Classes should be offered on a regular basis which provide general security
information to employees.  These classes should be updated periodically with
new information.
<P>

 <LI><B> Specialized Training</LI></B><BR>

Certain topics require specialized training.  Training on specific topics should be
offered to employees who deal with particular types of sensitive data.  The areas of
FERPA, HIPPA, Gram-Leach-Bliley, and so on should be covered.  Linda Kizer-Paquette 
and Jim (David) Blick, both Assistant Registrars, were identified
as people who have some level of expertise in specialized training, and who might
be helpful in jump-starting this process.
<P>