Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data Educause 2007 October 26, 2007 Maura Johnston / Assistant Privacy Officer (Audit, Compliance and Privacy) Donna Milici / Executive Director Information Technology (School of Nursing) Jim Cunningham / IT Senior Director (Information Systems and Computing)
16
Embed
Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data Educause 2007 October 26, 2007 Maura Johnston / Assistant.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data
Educause 2007October 26, 2007
Maura Johnston / Assistant Privacy Officer (Audit, Compliance and Privacy)
Donna Milici / Executive Director Information Technology (School of Nursing)
Jim Cunningham / IT Senior Director (Information Systems and Computing)
Copyright Notice
Copyright University of Pennsylvania, 2007. This work is the intellectual property of the University of Pennsylvania. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the University of Pennsylvania. To disseminate otherwise or to republish requires written permission from the University of Pennsylvania.
Lassoing the Beast
• Privacy at Penn: The organization
• Security and Privacy Impact Assessment (SPIA): Its genesis
• Privacy Office, headed by Chief Privacy Officer, is part of the Office of Audit, Compliance and Privacy
• Leadership of many major activities, joint with Information Systems and Computing
• Privacy Senior Executive Committee (PSEC) – An oversight committee comprised of senior leadership in Schools and Centers. Co-chaired with Provost’s Office.
• Privacy Liaisons – Points of contact in 33 Schools and Centers.
• Other Key Partnerships:– IT Roundtable– Provost’s Office– Office of General Counsel– Office of Human Resources
• Top down influence and grass roots development
• At Penn, environment increasingly sensitive to privacy issues
• SPIA Coordinating Team – OACP and ISC
• Risk equation: What are the problems?What are we doing right?
What’s left?
» Volume of data (including unnecessary data)» Number of people working with data» Volume of rules and best practices» Changing landscape
• Models:– Federal Privacy Impact Assessment– Virginia Tech STAR model
Security and Privacy Impact Assessment (SPIA): Its Genesis
SPIA Genesis: Ideas into Implementation
• SPIA took several rounds to get to today’s version– Pilot with financial services program offices – GLBA
Safeguards Rule– Early Adopters/Cohort I – Six Schools and Centers
• Very positive feedback; a basis for “buzz”– Using the Cohort 1 successes, we presented on the
value of the program to many audiences, asking for participation in a follow-up Cohort
– Cohort II launched in July: 19 schools and centers participating
SPIA: Process & Tool
• A people process intended to:– Raise awareness deep into organizations
• What confidential data exists• What systems store the data
– Establish common vocabulary and common standards for assessing risks to data
– Foster discussion involving IT staff, as well as the academic and administrative community
– Prompt remediation of major risk areas
SPIA: Process & Tool
• Organize your team
• Develop an approach
• Inventory your confidential data
• Schedule risk assessments
SPIA: Process & Tool
• Conduct risk assessments– Current and Future State– Probability x Consequence Scoring– Seven Key Threats– Sixty-eight Safeguards
1.Compromised by external hacker or malicious software2.Intercepted in transit by unauthorized persons3.Mistakenly disclosed 4.Knowingly or recklessly misused by staff, faculty, vendors, or temporary workforce5.Physical theft6.Loss of public trust over privacy7.Lost or unavailable data (business discontinuity)
SPIA: Process & Tool
• Summarize Findings: An annual executive level reporting process
– Purpose: To provide a high level view of results, to better understand patterns of risk and plans to mitigate across the organization
– Describe the work effort• Resources• Number of systems assessed
– Key Learning and Follow-up– Update on Prior Year Improvement Plans– Signed by IT Director and Senior Business Administrators
SPIA: Decisions Along the Way
No policy mandate to undertake SPIA (5 year organization-wide goal reported to Trustees)
No requirement within SPIA to implement controls Requirements found in other policies, not in SPIA
Keep tool simple – Boil it down to basics; other components optional
Keep process flexible No requirement to keep to the threats or safeguards list for example.
Excel spreadsheets easily editable. Keep information submitted to coordinating offices to a minimum
Summary of approach (early on as QA) Executive summary (annual report)
Implement on a cohort basis Report to trustees regarding expectations of SPIA program
Participant’s Report: Information Systems and Computing
Which systems are appropriate for central IT to initiate a SPIA?
Getting organized – 14 areas within IT participated Milestones are important to track and report progress
against How applications/databases were defined varied widely Making it an on-going way of doing business
Planning for the next year Adding to the inventory New system requirements Attention to types of data
Participant’s Report: School of Nursing
Engage school leaders; capitalize on funding agency requirements Promote through existing channels; share learning Don’t just document – question WHO has access to WHAT and WHY,
and adopt practices to monitor this Appreciate and manage the tension between need for privacy and ease of
access to information School of Nursing Highlights:
Concerns Sustaining inventory with moving targets Protecting mobile devices Secure sharing of confidential data
Major “wins” Awareness and modified behavior (ongoing) Early success with low hanging fruit and plans for next steps Buy-in for best practices, guidelines and policies
SPIA Sample Results as Reported by Participating Schools / Centers
• Areas of concern (examples):– Protecting data on mobile devices– Security of backup devices– Remote desktop and other work at home methods– Obscure location of unnecessarily retained, sensitive data– Encryption of data in transmission and at rest– Disaster recovery and testing
• Current successes and near future improvement plans (examples):– Reduction in shadow systems– Laptop security – removal of administrative privileges– Complete removal of SSNs from certain applications– Upgrading database versions to current, more secure – Hardware firewalls in server rooms– Tightening access privileges, especially temporary workers– More use of automated security scanning tools and Cornell Spider tool– Encrypting sensitive data at rest
What is next for Penn?
• Continued Support for Cohort 1– Avoid the “we’re done” risk– Summarize outcomes for senior leadership
• Project Management for Cohort 2– Monthly meetings– Ensure understanding of deliverables and check that they are delivered
• Recruiting for Cohort 3 – Each year may mean less enthusiastic participation (i.e., good guys
sign up first?)
• Maintain senior level and trustee reporting and support