LISTSERV - RECMGMT-L Archives - LISTSERV.IGGURU.US

RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US

	LISTSERV Archives
	RECMGMT-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Implementation Plan for Protection of Electronic
From:	"Piotrowski, Charles" <[log in to unmask]>
Reply To:	Records Management Program <[log in to unmask]>
Date:	Mon, 9 May 2005 13:58:18 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (56 lines)

Here is the process by which we at UCSC handled "breaches, hacks or
other unauthorized access to computing systems with unencrypted personal
identity information."

 

p. 16 has a nice flowchart.  Think of the VPIT as CIO.

http://iam.ucsc.edu/IP-Staff/PII/UCSC_Breach_Guideline.pdf

 

the whole website is at:
http://iam.ucsc.edu/IP-Staff/PII/Breach_Notice.htm

 

 

Please note that the law does not require you to notice until after the
breach is closed.

 

Even if 48 hours passes and you still haven't closed the breach, or
discovered the "hole" in the paper process, you don't broadcast notice.
You need to close the breach or resolve the process failure first then
you can (with the police's ok) notify.  This 

 

It may take some institutions more that 48 hours after discovering the
breach to close the hole. You don't have tell the world that you are
under attack until the attack is repulsed.

 

 

  

 

Chuck Piotrowski

CVPS

Records Manager

(802)747-5447

 

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2

LISTSERV.IGGURU.US