Web Accessibiliy and Sensitive Data Considerations

Download Report

Transcript Web Accessibiliy and Sensitive Data Considerations 

Sensitive Data
Accessibility
Financial Management
College of Education
Michigan State University
Sensitive data
Back in 2005, the University started a campaign to make staff more
aware of sensitive data concerns
PCI DSS - Payment Card Industry Data Security Standard is that if
credit card numbers are stolen from our servers and we are found to
be in breach of the PCI DSS standard at the time of the breach, Visa
and MasterCard may EACH fine the University up to $500,000 and
then revoke out ability to use their credit cards. More information:
http://computing.msu.edu/msd/pcidss.html
MSU’s Managing Sensitive Data site at http://computing.msu.edu/msd/
is worth a thorough read.
Levels of sensitivity for data
 Confidential
 Sensitive
 Public
Public data
Not protected and generally made publically available
 Directories
 Library
card catalogs
 Course catalogs
 Institutional policies
Sensitive data
Protected by institutional policy, guidelines, or procedures – may be
public/FOI-able (freedom of information)
 Salary
data
 Detailed institutional accounting and
budget data
 Personally restricted directory data
 Certain personal employee attributes
Confidential data
Protected by law, contract, or University policy
 SSN
 payment/credit
 health
card
records
 student records
Where to look for sensitive data
Digital




Laptop computers, Desktop computers
PDAs, thumb drives
Network drives, web and file servers
Email attachments, social networking sites
Paper




Sticky notes, notepads, paper files
Receipts
PAN forms and other official documents
Travel documentation
Ask, “Do I absolutely need this data?” If
not, get rid of it.
If you do need it, minimize its exposure.




As soon as you no longer need the data, delete it.
Don’t leave sensitive data on computers or PDAs that
are easily stolen.
Make sure the computer the data is stored on is
protected against viruses, worms, etc.
Be careful distributing the data via email or paper forms.
Identifying and reporting an incident
For help determining if an exposure or intrusion occurred,
contact the College Computer Support
353-8770
What happens if an incident occurs?





College CSG checks the computer to determine if there is sensitive
data involved. Computer remains powered on but disconnected from
the network.
If there is sensitive data involved, College notifies DPPS at 355-2221.
DPPS, the unit, and LCT will assess the incident.
Systems involved may be taken for investigation.
If necessary, MSU will disclose an exposure to those who might be
affected
Incidents at MSU
Despite best efforts, exposures have happened at MSU





Student PIN #s exposed during data transfers between business
units
SSNs may have been exposed on a server at a business unit
Student SSNs, names, addresses may have been exposed on a
server at an academic unit
Years of credit card transactions may have been exposed on a
server at a business unit
Confidential employee information may have been exposed on
servers at a business unit
College Policy
The college has been working on sensitive data
management and security awareness has
increased. Our data is more secure now that we
have followed the policy for a few years.
All college staff are required to attend sensitive
data awareness seminar every three years.
And in practical terms, that means?
No confidential data on college servers or computers
There is no reason to store SSNs on a computer, so don’t. If you need to
use SSNs at all (and we know there are reasons), work with us to make
sure they are handled with a minimum of risk.
For credit card/payment information, use web credit service at
https://www.ais.msu.edu/webcredit_info/webcredit_intro.asp
If you absolutely must have SSNs, credit card numbers, or any other sensitive
data on paper, destroy those papers as soon as you don’t
need the data anymore. If you need to keep the data, lock the papers up,
then destroy them as soon as you can.
Most importantly: be
aware of how you can minimize exposure.
Financial Management Oversight




Segregation of duties: More than one person
needed to complete a record transaction.
Implement mitigating controls if staffing
resources do not permit desired segregation of
duties.
Adequate oversight: at least take samples.
Pay attention to high risk areas: cash and
inventories. Take periodic inventory.
Monthly reconciliation of P-card statement is
required.
Accessibility
Web accessibility means that people with disabilities can read,
navigate, and contribute on the Web through the use of assistive
technology like screen readers.
The web accessibility initiative facilitates MSU interacting with the
broadest possible audience.
The web accessibility policy will start being enforced May 15, 2009.
What needs to be accessible?
Any content that is considered “core business” by the university must
be accessible.
What is “core business”?
Core business is defined very broadly. It is “activities that students,
employees, or visitors must access in order to effectively participate
in a program, service, or activity offered by the University.”
In practical terms, this means EVERYTHING (web pages, PDF
documents, Word documents, etc.) except personal web sites or
documents.
In theory, it also includes internal documents that students never see.
The University will help.
LCTTP has free classes on how to make Word documents and PDFs
accessible. In fact, one is offered on April 3. Details here:
http://train.msu.edu/classinfo/detail.asp?course=72633
If you do create web site or edit pages
You need to follow the University’s guidelines, which can be found
here: http://webaccess.msu.edu/policies-and-guidelines/interimtechnical-guidelines.html
What about my faculty members?
The policy dictates that faculty are responsible for making their own
course content accessible. This includes course information on
Angel or any other web-based teaching methods.
Faculty are aware of this and have resources to consult in approaching
this task.