Home page logo

educause logo Educause Security Discussion mailing list archives

Re: FTC and Red Flag Rule...our policy
From: Chris Kidd <chris.kidd () UTAH EDU>
Date: Fri, 10 Oct 2008 11:32:44 -0600

Our approach has been to develop a simple policy:


Detection, Prevention, Mitigation, and Reporting of Identity Theft

1.      The Information Security and Privacy Office will develop,
routinely update, and distribute guidance which outlines methods of
detecting "Red Flags" - actual risks for identity theft.

2.      Departments shall review the guidance and apply procedures to
assist in detecting "Red Flags."

3.      If identity theft is suspected, the department will notify and
seek advice from the Information Security and Privacy Office within 1
business day.

4.      The Information Security and Privacy Office shall periodically
update the overall program, and departments should update policies and
procedures relevant to their operations, to reflect changes in risk,
based on the published guidance.

5.      The University of Utah Chief Information Officer and UUHC Chief
Information Officer will provide oversight for this program, after
written approval from the Board of Directors has been obtained.


The core of the program are the guidelines (attached). Our office
maintains the guidelines, and assists, when necessary, with


Chris Kidd

Chief Compliance and University Information Security and Privacy Officer

The University of Utah

650 Komas Drive, Suite 102

Salt Lake City, UT 84108

Office: 801.585.7483

Fax: 801.587.9443


From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin
Sent: Wednesday, October 08, 2008 3:38 PM
Subject: Re: [SECURITY] FTC and Red Flag Rule


Hi Anand:


We are affected, or at least that is what my treasurer, GC and myself
believe based on our research into this.    I am currently going through
the final set of red flag rules and trying to prepare a high level
executive summary of what I think this means.  Of the 328 pages I have
been able to drop it down to 120 and am hoping to get that to a document
under 10 pages that is basically a  "this is what you should be doing"


If interested in getting a copy of that document (probably be early next
week before I am finished with it) just let me know.





Kevin L. McLaughlin


Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

513-558-ISEC (department)





CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand Malwade
Sent: Wednesday, October 08, 2008 3:24 PM
Subject: [SECURITY] FTC and Red Flag Rule



Does anyone know if Educational Institutions are affected by the FTC's
Red flag rule about maintaining an Identity Theft program ? If yes has
anyone implemented or has a roadmap for deployment? 
In my opinion if the rule is indeed applicable, the Institution's Legal
Counsel should drive the initiative and not IT. 

Any suggestions are welcome. 




Anand Malwade, CISSP,CISM,CISA.
Information Security Officer,
Seton Hall University,
malwadan () shu edu 

Attachment: Identity Theft Guidance_3.doc
Description: Identity Theft Guidance_3.doc

  By Date           By Thread  

Current thread:
  • Re: FTC and Red Flag Rule...our policy Chris Kidd (Oct 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]