Top Information Security Concerns for Campus Executives & Data Stewards

Version 1.0: September 2010

1. What/Where is my data?

What data are in my part of the organization and where are they located?

a. Do I know where paper records that contain sensitive data are located and used?
b. Do I know where computers are located that store sensitive data?
c. Do I know if sensitive data is stored on removable media and portable devices?
d. Do I know the quantity of data?
e. Is data stored on home computers or personally owned devices or personally managed devices?
f. Do I know if a third party has access to or holds data from my organization?

#Top of page

2. How sensitive is it?

How sensitive is the data in my part of the organization?

a. Do I know what data my institution considers to be sensitive?
b. What are the consequences if sensitive data gets into the wrong hands?
c. What are the federal, state, contractual and institutional requirements for data under my responsibility?
d. Do I know the legal and civil consequences of failing to protect the data or failing to follow the laws and policies regulating the data?
e. Does my institution have a data privacy and security policy and do I know it is? Do I appropriately mitigate the risk level of data under my responsibility? Do I have a risk mitigation plan?
f. What are the risks of outsourcing to a third-party data for which I am responsible?

#Top of page

3. Who's responsible for it?

Who's responsible for the security of information in my part of the organization?

a. Have I clearly outlined employee roles and responsibilities for securing information?
b. Have I made information (training, policies, procedures) available to employees so that they understand how to protect data?
c. What is my role and responsibility for information in my part of the organization and how do I communicate that to employees?
d. How do I ensure the data protection policies of my institution are being followed?
e. Whom may I rely on for assistance outside of my part of the organization and how do I contact them?
      i. Chief Information Security Officer?
      ii. Chief Information Officer?
      iii. Internal Audit?
      iv. General Counsel?
      v. Privacy/Compliance/Risk Officer?
      vi. Chief Financial Officer?
      vii. Others?

#Top of page

4. Who has access to it?

a. Do only those with a business need have access to the data?
b. Are they authorized, documented and tracked?
c. Are authorization records periodically audited?
d. Do employee transition procedures (new employee, position changes, departure) include steps to update authorization records?
e. Have I made information (training, policies, procedures) available to users so that they understand how to protect data?
f. Do those with access to data know where to find information about how to protect it?

#Top of page

5. Do I need to keep it?

a. How long is the institution required to keep each data type? Does my institution have a retention schedule?
b. What are the benefits of keeping the data and do the benefits outweigh the costs and risks?
c. Do I know the institutions procedures for secure disposal?

#Top of page

6. What if it gets into the wrong hands?

a. Do I know how to recognize a data breach?
b. Do I know what my institution's procedures are to address it?
c. Do I know whom to notify in the event of data breach?

#Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).