Securing Your Department's Sensitive Information
In 2004, the Medical School’s Office of Admissions and Financial Aid (OAFA) put into place a departmental security plan to address issues of sensitive information and compliance. We asked OAFA's Director, Kathleen A. Baer, to share her department's story and advice for others who are working on their own security issues.
Q: What changes in secure practices have you made over the last couple of years in your department that you feel others might benefit from learning?
A: Two years ago, the Medical School’s Office of Admissions and Financial Aid (OAFA) prepared a detailed information security plan. The goals of this exercise were to ensure that OAFA met University standards for the protection of all sensitive information and that we were in compliance on federal legislation that protects the confidentiality of individuals’ personal information. The plan also was prompted by a transformation in our admissions process that resulted in a five-fold increase in admissions applications and the subsequent need to process, store and safeguard considerably more confidential information.
We have implemented several general guidelines for staff regarding oral and written communications, the protection of electronic communications, the security of software, and the proper disposal of paper-based materials. Many of our changes in procedures are common-sense measures such as the need to:
- Re-orient computer screens away from the view of passersby;
- Re-configure workstations to include panels around desks and counters above desks to improve privacy;
- Relocate our office fax machine to a private storage area (in process);
- Require OAFA staff to use email signatures that include the University-approved confidentiality agreement; and
- Routinely lock all student files in secure cabinets during lunch hours and staff meetings.
Q: What have been some of the obstacles that you've had to deal with and how has the department handled them?
A: Like many administrative offices at Brown, we are challenged by space limitations. Our financial aid coordinator, to whom students are directed for initial consultation on financial aid questions, often had to relay sensitive information to students in a work area shared by several other employees, including staff from other offices.
We recognized that this was a terribly awkward and inappropriate situation, both for staff and for our students. We responded first by locating a very small work area in the corner of our suite - formerly a storage location – and working with an office design company and our colleagues in Biomed’s Physical Facilities Office to reconfigure that space into a functional and private workstation. Never underestimate the creativity of talented office design specialists to envision new space for personnel or new storage space where none existed previously!
We also try to balance the competing needs of providing secure work areas as well as a welcoming environment for our admissions and financial aid visitors. Where possible, we try to ensure that OAFA staff are readily visible to students and others. However, this year we are losing a workstation that had been used primarily for the processing of admissions applications. The individual in this role will now need to process applications in a much more visible area of the office, thus requiring us to build panels around the workstation for greater privacy.
Q: What would be the most important advice you could give others as they prepare their own information security program?
A: I encourage all managers first to familiarize themselves with their responsibilities vis-à-vis University privacy policies
Secondly, recognizing that we are all busy, there’s no need to start from scratch in developing your office’s information security plan. The CIS website offers excellent guidelines to identify the major components of the plan as well as specific, sensible guidelines that are applicable to all departments. [See Guidelines for Safeguarding Information and Brown University Checklist for Protecting Information.]
Third, include a copy of your plan in your office’s training materials for new employees and review it annually with all employees to determine if additional changes are needed.
Last, please contact me at Kathleen_Baer@brown.edu if you would like me to send you a copy of OAFA’s security plan.