Old Business and New Business
Domains 1-10 have been reviewed, revised, endorsed, and prioritized.
Milford gave an update from the Committee of Data Stewards (CDS) and reviewed recent incidents.
- The CDS meets monthly. Currently working on a draft policy to formalize the process for handling information sharing with third parties. They are also wrestling with the Business Intelligence (BI) initiative and how combined data elements and metadata should be managed, handled, etc. Kim also updates the CDS on the activities of this Council.
- Review/summary of recent incidents
- Our office handled approx. 20 k incidents in 2011; roughly 5 k per quarter. These are incidents in general. These are not all security breaches. This total also includes things like copyright complaints, policy/privacy/security questions, reports of misuse/abuse, exposures that are not sensitive/personal information, etc.
- Main source of security compromises are drive-by downloads that exploit third party application vulnerabilities (i.e. Adobe software vulnerabilities). It’s important to keep software updated by applying patches. Secunia PSI is one tool we have to assist with this.
- Lost or stolen devices continue to be an issue. We saw a higher number of unencrypted lost/stolen mobile devices in 2011, as well as police requests for us to watch for stolen devices. We can do some automated monitoring for stolen devices on our network if we know the MAC address of the stolen device.
- Had several email preservation requests. We track these because they’re time consuming.
- A department’s server was compromised because the vendor’s default password had not been changed.
- It was highlighted that Exchange/Outlook public folders can be an inadvertent source of exposures.
- We have already seen some web site hacking in 2012.
Davis shared the idea of addressing a memo from the Council to VPs Applegate and Wheeler recapping the Council’s progress and delegates’ support of the program. Rives suggested that we consider addressing such a memo to senior management in general; not just those 2 VPs (either address those VPs and cc everyone else or send to all senior mgmt). There was a general agreement to address such a memo more broadly.
Wrap-up and Next Steps
Next meeting: March 7, 2012