by Connie Sadler, Dir. of IT Security, CIS
Information Technology Risk at Brown
IT Security led an effort this summer to gather data from 88 departments in support of Brown University's first comprehensive IT Security Risk Assessment. The goal was to identify risks common to many departments and to then create a project plan to address the top risks identified. The second Risk Assessment will be done in 2007, and will be repeated every other year. During the even years, efforts will be made to prioritize and work on the primary risks identified during the assessment years.
While the University does a comprehensive assessment for the campus, each department also must look at risk within the department, and take action. And every user has a responsibility to their department to do their part in protecting information and pointing out potential weaknesses. Only by working together as a team can we achieve our collective goal of applying adequate protections where they are needed.
One of our big priorities for 2006 is to make sure that we know where all confidential and sensitive data is stored at Brown (both on servers and workstations) and to make sure that it is properly protected in storage (on a server or workstation, in a cardboard box or backed up on disk or tape) as well as in transit (via courier, campus mail, email, ftp, etc.). Confidential and sensitive information includes:
- financial information (either personal, departmental or institutional)
- health care information
- "customer" information (personal data entrusted to us by others) from individuals who register for events at Brown online or who purchase materials from us
- health-related information for research, athletics, student health or staff
- performance or disciplinary information, etc.
We should also be confident that we know where information is that is subject to regulatory compliance. Sensitive printed information should never be discarded. Shred it instead. It's going to take a commitment from every individual at Brown to ensure that all of the sensitive information we hold is adequately protected.
Anyone who has questions about the data they generate or have access to—or how it is stored or transmitted— is welcome to contact me at any time at 3-7566, or by email at Connie_Sadler@Brown.edu