UC IT Policy and Security Officers Meeting
24 October 2000, UCSF
ATTENDEES:
- Ellen Amsel, San Francisco
- Jacqueline Craig, Berkeley
- Karen Eft, Berkeley
- Russ Harvey, Riverside
- Mike Iglesias, Irvine
- Paula King, Merced
- Craig Lant, Berkeley
- George Lavender, Berkeley
- Marguerite McIntyre, San Francisco
|
- Bob Ono, Davis
- Janine Roeth, Santa Cruz
- Kevin Schmidt, Santa Barbara
- Andrew Tristan, Riverside
- Mike Van Norman, Los Angeles
- Kent Wada, Los Angeles
- Martha Winnacker, Office of the President
- Tony Wood, San Diego
- Steve Zenone, Santa Cruz
|
[People noted in brackets are responsible for the
'One Page' write-up assignments]
Kinds of security mechanisms currently employed
- Virus scanning (central) [Steve]
- Notification (sometimes post- is necessary)
- Post-audit of telephone calls for fraud detection
[Mike]
- Intrusion detection [Craig]
- Firewalls/Secure Zones [Ellen]
- Not firewalls but secure zones
- Logfiles: post-audit, triggered
- Retention period
- What is collected?
- Data escrow —
- internal audit
- misuse committee
- student judicial services
- campus counsel
- UCPD
- Privacy compliance officers
- Personal firewalls [Karen will link to an article on the topic]
- Active scanning [Kevin] and the intersection with privacy* (foundational for privacy- tools for protecting privacy)
- Need campus approval/notification
- Looking for:
- Specific vulnerability
- To find breached systems
- Routine scans to notify local administrators of changes on their network
- Who is or is not watching for scans
- A scan is to obtain
- OS fingerprint
- Patches, back doors, service versions
- What are we scanning?
- How long do you keep data captured?
- What do you do with this data?
- Is such data a university record, subject to disclosure? MAYBE
- May need to keep to prove compliance with HIPAA
Issues
- Personally identifiable information
- Outsourcing • Off campus services, 3rd parties
- HIPAA (will probably involve a special working group; there is someone in general counsel
who is the point for this for GC)
- Need for 24x7 procedures, no more fairweather policies
- Records management policy update in process 2 to 3 year process (people are working on the records retention schedule) some work done in Oregon [RMP 8-12 are the sections on personal and public privacy guidelines]
- 'Surveillance' and involvement of other units like Audit.
- Licensing
- Asset Management
Reference [ ECP V.A. p. 15 ]
V. Security Section
A. Introduction
The University attempts to provide secure and reliable electronic communications services.
Operators of University electronic communication resources are expected to follow
sound professional practices in providing for the security of electronic records, data, application programs, and systems under their jurisdiction based upon the guidelines provided in Business and Finance Bulletin IS-3, Electronic Information Security.
Reference [ECP Att.2, III.B.4 p. 8 ]
III. Privacy and Confidentiality
B. Privacy Protection and Limits
4. Unavoidable Inspection.
For purposes of the Electronic Communications Policy,
automated inspection of electronic communications in
order to protect the integrity of University
electronic communication resources does not constitute
non-consensual access (see Electronic Communications
Policy Sections III.D.7, Interference, IV.C.2.c,
Unavoidable Inspection, and V.A., Security).
Next meeting:
Thursday, January 18, 2001
UCI (host Mike Iglesias)
Major items for the next meeting:
- Security Policy Framework that sits between the ECP and IS-3
Broad Principles - covering topics like:
- Asset Management
- Risks/Liabilities we are trying to manage
- Regulatory requirements
- Share additional, local, relevant campus procedural documents
Roadmap for next several meetings:
|
Irvine, January, 2001
|
|
Davis, April 2001
|
UCLA, July 2001
(In conjunction with UCCSC)
- Best Practices Campus to Campus
- HIPAA, HCFA
|
Invite campus counsel, internal audit representatives to meetings for specific agenda items.
Return to UC IT Policy and Security Officers
(UCITPSO)
website.
Comments to:
policy@uclink.berkeley.edu
Revised: 30 October 2000