Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data Educause 2007 October 26, 2007 Maura Johnston / Assistant.

Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data

Educause 2007October 26, 2007

Maura Johnston / Assistant Privacy Officer (Audit, Compliance and Privacy)

Donna Milici / Executive Director Information Technology (School of Nursing)

Jim Cunningham / IT Senior Director (Information Systems and Computing)

Copyright Notice

Copyright University of Pennsylvania, 2007. This work is the intellectual property of the University of Pennsylvania. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the University of Pennsylvania. To disseminate otherwise or to republish requires written permission from the University of Pennsylvania.

Lassoing the Beast

• Privacy at Penn: The organization

• Security and Privacy Impact Assessment (SPIA): Its genesis

• The SPIA process and tool

• Decisions along the way

• SPIA Cohort participants report:

• Information Systems and Computing

• School of Nursing

• Outcomes

• What is next for Penn

• Questions – [email protected]

Privacy at Penn: The Organization

• Privacy Office, headed by Chief Privacy Officer, is part of the Office of Audit, Compliance and Privacy

• Leadership of many major activities, joint with Information Systems and Computing

• Privacy Senior Executive Committee (PSEC) – An oversight committee comprised of senior leadership in Schools and Centers. Co-chaired with Provost’s Office.

• Privacy Liaisons – Points of contact in 33 Schools and Centers.

• Specialized Committees / Teams:– IT Privacy– SSN Remediation– SPIA Coordination

• Other Key Partnerships:– IT Roundtable– Provost’s Office– Office of General Counsel– Office of Human Resources

• Top down influence and grass roots development

• At Penn, environment increasingly sensitive to privacy issues

• SPIA Coordinating Team – OACP and ISC

• Risk equation: What are the problems?What are we doing right?

What’s left?

» Volume of data (including unnecessary data)» Number of people working with data» Volume of rules and best practices» Changing landscape

• Models:– Federal Privacy Impact Assessment– Virginia Tech STAR model

Security and Privacy Impact Assessment (SPIA): Its Genesis

SPIA Genesis: Ideas into Implementation

• SPIA took several rounds to get to today’s version– Pilot with financial services program offices – GLBA

Safeguards Rule– Early Adopters/Cohort I – Six Schools and Centers

• Very positive feedback; a basis for “buzz”– Using the Cohort 1 successes, we presented on the

value of the program to many audiences, asking for participation in a follow-up Cohort

– Cohort II launched in July: 19 schools and centers participating

SPIA: Process & Tool

• A people process intended to:– Raise awareness deep into organizations

• What confidential data exists• What systems store the data

– Establish common vocabulary and common standards for assessing risks to data

– Foster discussion involving IT staff, as well as the academic and administrative community

– Prompt remediation of major risk areas

SPIA: Process & Tool

• Organize your team

• Develop an approach

• Inventory your confidential data

• Schedule risk assessments

SPIA: Process & Tool

• Conduct risk assessments– Current and Future State– Probability x Consequence Scoring– Seven Key Threats– Sixty-eight Safeguards

1.Compromised by external hacker or malicious software2.Intercepted in transit by unauthorized persons3.Mistakenly disclosed 4.Knowingly or recklessly misused by staff, faculty, vendors, or temporary workforce5.Physical theft6.Loss of public trust over privacy7.Lost or unavailable data (business discontinuity)

SPIA: Process & Tool

• Summarize Findings: An annual executive level reporting process

– Purpose: To provide a high level view of results, to better understand patterns of risk and plans to mitigate across the organization

– Describe the work effort• Resources• Number of systems assessed

– Findings• Greatest concerns• Successes• Improvement plans

– Timelines– Budget implications– Risk reduction expected

– Key Learning and Follow-up– Update on Prior Year Improvement Plans– Signed by IT Director and Senior Business Administrators

SPIA: Decisions Along the Way

No policy mandate to undertake SPIA (5 year organization-wide goal reported to Trustees)

No requirement within SPIA to implement controls Requirements found in other policies, not in SPIA

Keep tool simple – Boil it down to basics; other components optional

Keep process flexible No requirement to keep to the threats or safeguards list for example.

Excel spreadsheets easily editable. Keep information submitted to coordinating offices to a minimum

Summary of approach (early on as QA) Executive summary (annual report)

Implement on a cohort basis Report to trustees regarding expectations of SPIA program

Participant’s Report: Information Systems and Computing

Which systems are appropriate for central IT to initiate a SPIA?

Getting organized – 14 areas within IT participated Milestones are important to track and report progress

against How applications/databases were defined varied widely Making it an on-going way of doing business

Planning for the next year Adding to the inventory New system requirements Attention to types of data

Participant’s Report: School of Nursing

Engage school leaders; capitalize on funding agency requirements Promote through existing channels; share learning Don’t just document – question WHO has access to WHAT and WHY,

and adopt practices to monitor this Appreciate and manage the tension between need for privacy and ease of

access to information School of Nursing Highlights:

Concerns Sustaining inventory with moving targets Protecting mobile devices Secure sharing of confidential data

Major “wins” Awareness and modified behavior (ongoing) Early success with low hanging fruit and plans for next steps Buy-in for best practices, guidelines and policies

SPIA Sample Results as Reported by Participating Schools / Centers

• Areas of concern (examples):– Protecting data on mobile devices– Security of backup devices– Remote desktop and other work at home methods– Obscure location of unnecessarily retained, sensitive data– Encryption of data in transmission and at rest– Disaster recovery and testing

• Current successes and near future improvement plans (examples):– Reduction in shadow systems– Laptop security – removal of administrative privileges– Complete removal of SSNs from certain applications– Upgrading database versions to current, more secure – Hardware firewalls in server rooms– Tightening access privileges, especially temporary workers– More use of automated security scanning tools and Cornell Spider tool– Encrypting sensitive data at rest

What is next for Penn?

• Continued Support for Cohort 1– Avoid the “we’re done” risk– Summarize outcomes for senior leadership

• Project Management for Cohort 2– Monthly meetings– Ensure understanding of deliverables and check that they are delivered

• Recruiting for Cohort 3 – Each year may mean less enthusiastic participation (i.e., good guys

sign up first?)

• Maintain senior level and trustee reporting and support

• Integrate into ongoing business operations

Q&A Contact Information and Resources:

[email protected]

Penn Privacy Web Site: www.upenn.edu/privacy

Penn Security Web Site: www.upenn.edu/computing/security

Copyright University of Pennsylvania, 2007