Securing Confidential Information

1
Securing Confidential Information

• Protecting Confidential Data
• in an Electronic World

2
Purpose

• Raise awareness about how each of us can protect
  SAISD Student and Staff confidential information.
• Better understand the risks when using and
  storing paper and electronic information
• Better understand how to reduce those risks
• Expectations
• Learn to Protect Confidential Data
• Model what you have learned in this course
• Receive a certificate of attendance for
  participating in this session.

3
Why Now?

• K-12 education systems have used Social Security
  Numbers as THE unique identifier for students and
  staff because PEIMS reporting requires Social
  Security Numbers.
• It is our responsibility to protect the
  confidentiality of electronic and paper-based
  information.

4
Confidential Information is

• Information that may or may not be protected by
  law but which is desired to be treated as
  confidential and protected as such.
• Access to confidential information is prohibited
  unless permitted by policy or an exception to the
  law.
• All references in this training include, but are
  not limited to, social security numbers, date of
  birth, and name.

5
Directory Information is

• Available upon written request to the District
  unless restricted by the employee (or students
  parent/guardian) each year
• Name, Address, and Telephone number
• Date of birth
• Gender
• Ethnic origin
• Other data listed by the District

6
Where Do You Find Confidential Information?

• On your workstationat work or at home
• Mobile devices such as laptops, Palm handheld
  computers, USB flash drives (e.g. memory stick,
  Pen Drives, thumb-drives), CDs, floppy discs,
  iPods, or cell phones.
• On information resource mediae.g., networks,
  application systems, including operating systems,
  tools, communications systems
• A variety of paper documents and reports related
  to staff data (scheduled to be removed within six
  months pending ).

7
Follow Legal and District Requirements
http//intranet

• FERPA
• Texas Education Agency Security Environment
  Requirements
• Administrative Procedures (see Board Policy
  references)
• Draft Requests for Data and Data Security
  Measures
• F19 Family Educational Rights and Privacy Act
• F12 Maintaining Permanent Cumulative Student
  Records
• D5 Acceptable Use Procedure for Employees
  Computer, Telecommunication, and Internet Access
• D25 Records Retention Employee Personnel Files
• D29 Information Dissemination
• C29 Records Management
• G13 Requests for Public Information (Open Records)

8
Understand the Risks

• Identify risks at work, for example
• Shared passwords.
• Leaving data where it can be accessed by others.
• Failure to log-off the computer after each use.
• Failure to shred paper or mark-out/cover
  confidential data with a black permanent marker
  (e.g. Sharpie)
• Contact Supervisor in case of
• Questions or concerns
• Questionable incidents regarding sensitive data.

9
Protect Confidential Documents

• File required reports and forms with confidential
  information in a locked file cabinet.
• Mark-out/cover SSNs on copies of archived
  documents whenever possible.
• Secure documents before leaving your desk.
• Keep your office locked when unattended.
• Shred drafts, excess copies, and other obsolete
  papers with confidential information.
• Shred documents after the retention period
  expires.
• See the Texas State Library Records
  Retention Schedules, Local Schedule SD for School
  Districts

Check with your supervisor for details regarding
your specific situation.
10
Follow Safe Computing Guidelines -- Passwords

• Protect your user ID and Password. You are
  responsible for ACTIONS taken with your sign-ins.
• Do NOT post, write or share Passwords with ANYONE
• Do NOT reply to requests for passwords or
  personal information via email. The District will
  not request confidential data electronically.
• Notify District account managers when access is
  no longer needed for your job or when your job
  with the District changes.
• Use passwords that are hard to guess, easy to
  remember, and change them often.
• Use a password-protected screensaver for your
  workstation (on-site, laptop, etc.)

11
Safe Computing Guidelines---Control Physical
Access to Your Workstation

• Only authorized users should have physical access
  to your workstation, including monitors, mouse,
  keyboard, etc.
• If you use a mobile device or home workstation to
  conduct SAISD business you are responsible for
  taking all measures to protect the data.
• Remove from or encrypt confidential data on
  mobile systems when leaving District premises.
• Please note that transporting unencrypted,
  confidential data on a mobile device (e.g.
  laptop, USB Flash Drive, CD-ROM) is RESTRICTED.
• Only authorized individuals can transport
  confidential documents.

12
Safe Computing Guidelines---Report Computer
Security Incidents

• Report unusual computer behavior (e.g. mouse
  pointer moves by itself) to your supervisor AND
  the HelpDesk at 281-9090 (or via email at
  helpdesk_at_saisd.net).
• Report any suspicious incidents to your
  supervisor immediately.
• Report lost or stolen devices immediately to the
  SAISD Police (271-3124) at any time. If stolen
  while off district property, also report the
  theft to local police authorities. Obtain case
  numbers.
• Notify your supervisor immediately of the
  lost/stolen device and any sensitive data stored
  on it.

13
What Can Each of Us Do To Secure Confidential
Information?

• Each member of the Department must take
  responsibility for securing his/her data.
• Get help from the HelpDesk (281-9090)
• Understand the laws and procedures and seek help
  when requirements arent clear.
• Understand the risks of non-compliance

14
Help SAISD maintain a strong and secure
confidential information environment. Thank you
You have completed the Security Awareness
Training.