Managing System Failures to Safeguard Information
The following checklist guides University of Mary Washington functional and technical managers in planning how to deal with failures, including attacks and intrusions, of information systems (paper-based or computer-based) that deal with legally protected information. Legally protected information is information
- to which the University restricts access as required by law (including but not limited to such statutes as the Family Educational Rights and Privacy Act (FERPA) dealing with student records and the Gramm-Leach-Bliley Act (GLBA) dealing with personal financial information), or
- to which the University decides to restrict access in accord with the provisions of the Virginia Freedom of Information Act or other applicable law.
Checklist
- .Maintain up-to-date and appropriate plans and controls.
- Create and maintain a written contingency plan to address any breaches of your physical, administrative or technical safeguards.
- For computer systems, check regularly for vendor updates and patches that address system software vulnerabilities (including anti-virus tools and other attack-prevention tools).
- Maintain carefully configured and monitored firewalls or other security strategies (at multiple levels if necessary).
- Provide to decentralized staff good central information, tools and other resources related to the constantly changing list of security risks.
- Maintain an environment in which you can revert to a recent version of the information if the current version is damaged or corrupted (i.e., do frequent backups and store them securely and safely).
- Notify affected populations promptly if their information has been subject to loss, damage or unauthorized access.
Adapted by the Department of Information Technologies from related FTC materials.