IReport team brainstorming results, July 3rd, 2008
The question considered was:
What are the desired outcomes and implemenation considerations?
Brainstorming issues, followed by clustering.
Clusters and issues are in alphabetical order.
Communication of reporting policy
Communication to non-IT staff
Communications to campus community about policies
Communicating when to report
Coupon for ice cream attached to reporting form
How do we get the word out to campus? (about the policy and procedures)
How can we get faculty input into the policy?
What communications methods are needed for rolling out the policy?
Who to engage and at what point?
24x7 contacts for campus
Good contact information if need to report
Phone list of "Uh-Oh" situations
How are we going to allay the budgetary impact fears of those who report?
How can we "incent" compliance. What's the Carrot?
How to address management concerns about the embarassment of reporting an incident?
How to encourage compliance?
How to get faculty to report stolen equipment or data release?
Is (or can there be) a financial incentive to report an incident?
Full Reporting of Potential Restricted Info Release
Learn from others
DoIT Advocacy for exisint feel [sp?] - IT Changes.
Incident Repository / Tracking
Info sharing with post incident review
Keep Higher Level language technology-wise
Learn from errors
What about improving security after an incident (to prevent reucurrance)?
Over Reporting => resources, process
Risk of "over-reporting"
Prevention (protecting sensitive info)
Campus tools for Risk Assessment (AKA How =do you know you have data that will need reporting)
Can this policy drive folks to get rid of this data?
Clear policies about transmission of data (e.g. always encrypted)
Data vault for SSN's - Control over who has access
Follow up on post-incident recommendations
Guidelines / Best Practices for Protecting Data (And how to not be a reporter)
How can such a policy drive better training on best practices for securing data?
Should we proactively see if this data is vulnerable?
What role can Internal Audit play in policy compliance?
Protect Staff Reporting
Accountability & Protection vis Reporter [copy from Report / Acct.]
How to protect individuals who report an incident? (i.e. from retaliation)
No Accusations ( ? ) [word in parenthesis illegible]
No recrimminations to messenger?
Protect Whistle Blower
Accountability & Protection vis Reporter
Who would enforce the policy? (i.e. if an incident were not reported and bad things happen)
Can we have faculty report someplace on the academic side of the house?
Clear guidelines for determining reportable event
What general method or methods should be available for reporting an incident?
What is a "timely" report?
What is a reportable incident?
Who decides if we inform univ. exucutives / others?
[See also: #Standard procedures / docs (how developed as well)]
Standard procedures / docs (how developed as well)
Consistent incident response
Documentation and guidance on how to get started on an investigation
Easy and clear and understood procedure to report
How much is "policy" and how much is "guidelines"?
How to / checklist for ID of issue
Standard procedures for investigators
What is "sensitive information"?
[See also: #Reporting Incident]