InfraSec 06.10.15 Minutes

Attending:

Phil Reiter, Allen Randall, Frank Cervone, Kevin Shalla, Lalo Camacho, Sandeep Dath, Therese Molina, Mark Goedert, Mat Willis, Bala Ramaraju, Ernesto Reyna, Craig Jackson, Jason Maslanka, Kevin Price, Ed Zawacki, Chris Barton, Mike Kirda, Andre Pavkovic, Lisa Blake, Heather O’Leary, Ron Fernandez, Marcin Hiolski, Ilir Zenku

  • Risk Assessment
    • Overview
      • Risk assessment is completed
      • Procedure for future assessments has been created
      • Draft recommendations reviewed, focusing on four to be implemented
      • Cynthia is now a U of I HIPAA Privacy and Security Officer
    • Business Associate Agreement
      • HIPAA subcommittee is working on a BAA template for BAAs on campus
    • Vulnerability Assessment
      • Committee should recommend how to roll out assessment
    • ePHI Data Inventory
      • Proposal for a shared inventory tool is to be made available to campus
      • Discussion of recommendations, what it will take to move forward
  • Security Goals for InfraSec
    • Review of Security Program
      • A policy shift as occurred—HIPAA issued a mandate that policy must be amended to include encryption of all devices under the covered entity
      • Decision was made not to allow employees to store high risk data on their personal devices
      • HIPAA training will be required of everyone under the covered entity, not just for those handling high risk data
    • Subcommittees
      • Suggestion to evaluate subcommittees: what exists, what each is working on, how each should change going forward
    • Disaster Recovery Plan
      • McGladery will work to survey InfraSec members about disaster recovery needs
  • Status Updates
    • Enterprise Apps
      • The group is meeting next week to discuss requirements and next steps
    • Office 365
      • An email is going out to REACH and IT professionals focusing on a change in personal purchases
    • Chair Meeting Outcomes/ Council
      • Chairs of ITGC committees met to discuss HR resolution
      • Discussion of Data Governance Committee recommendation on the need to consider language to differentiate between governance and operations
    • Subcommittees and Bylaws
      • There are a number of listed subcommittees to review, work to be archived
    • ADSM
      • There have been issues with ADSM
      • CrashPlan is a solution for workstations, but not servers
      • CrashPlan licenses are not going out to everyone yet, but units are encouraged to use it when possible, and to pull data off ADSM
      • Goal is to incorporate CrashPlan costs into rate and funding for FY17
    • Virtual Private Network
      • Working on VPN, looking for more user data for what more is needed
    • Unified Communications Roadmap/Consulting
      • The Burwood group is consulting with ACCC on Unified Communications