Post on 26-Mar-2020
Presenting to Executives October 21, 2014
2
Agenda
• Welcome and Workshop Overview
• Common Grounding
• Expert Panel Discussion
• Apply and Share
• Case Study
• Small Group Exercise
• Report Out
Welcome and Workshop Overview Who We Are
Community of Practice
HUIT PMO
• Identify and embracing existing PM community
• Collaborate and problem solve • Share experience, approaches and
techniques • Provide direct input to HUIT PMO on
needs and challenges • Serve as vehicle for training, mentoring,
and coaching
• Improve effectiveness of project management across HUIT
• Establish common philosophy and language
• Collect and transparently report project and portfolio status
• Support, develop, and provide guidance to HUIT community of project managers
3
Common Grounding
Expert Panel Discussion
4
Facilitator Andrew Amrhein Managing Director, PMO Harvard Business School
Panel Members
Marika Rueling Chief of Staff Office of the Executive Vice President Liam Schwartz Associate Director for Strategic Analytics Office of Institutional Research Bob Wittstein Managing Director, Administrative Technology Services Harvard University Information Technology
Apply and Share
Case Study > Original Presentation
5
Title Protecting Student and Employee SSNs
Audience Higher Education User Group Conference for Oracle customers
Purpose Inform conference attendees about Northwestern University’s initiatives to protect the privacy of student and employee SSNs
Duration ~ 30 minutes
Protecting Student and Employee SSN’s Session #20415 March 13, 2006
Alliance 2006 Conference
Nashville, Tennessee Last updated 3/ 13/ 2006
7
Your Northwestern University Presenters
Suzanne Anderson University Registrar and Director of Student Enterprise System
Ann Dronen Associate Director of Student Enterprise System
Kathy Tessendorf Director of Human Resources Information
8
Overview
Today we will discuss the numerous initiatives that Northwestern University has and will
implement to protect the privacy of student and employee Social Security Numbers.
9
Agenda/Contents
• SSN’s were everywhere!
• Why we needed to change our ways
• Getting organized
• Obstacles and challenges
• Specific actions
• There’s more to do!
10
About Northwestern University
Northwestern
University is a
private institution
founded in 1851.
11
About Northwestern University
We have 18,000
students and two
campuses; one in
Evanston, and one
in Chicago.
12
We have 11 Schools and Colleges
Weinberg College of Arts and Sciences Communication Education and Social Policy Engineering and Applied Science Medill School of Journalism School of Music Graduate School Kellogg School of Management School of Law Feinberg School of Medicine Continuing Studies
13
About Northwestern University
We have 6,700 benefit-eligible employees
and produce 20,000 W-2’s.
14
A little about our use of Oracle
• Initial Implementations: • HR – 1997 • Student Administration – 1998-2000 • Financials – planned for 2007
• HR and SA are on separate databases
15
Our HR System
• Modules Implemented • Position Management • Base Benefits • Payroll • FSA • E-Recruit
• Version • Currently on 8.3 • On our way to 8.9 (planned for April 2006)
16
Our SA System
• Modules Implemented • Academic Advisement • Admissions • Campus Community • Financial Aid • Student Financials • Student Records
• Currently on Version 8.0
17
Before PeopleSoft, SSN’s were everywhere!
• SSN was used as the identifier for both students and employees
• SSN was the unique identifier for most, if not all, student and employee-related systems
• SSN was prominently displayed on ID cards, Benefits Cards, Forms, Reports, Lists & Labels!
18
Why we needed to change our ways…
• FERPA
• HIPAA
• Federal & Illinois Laws
• Increased nationwide awareness
• Identify theft
19
Getting organized…
• Formed an “SSN Committee” with a primary mission to remove SSNs
• Established and updated University policies
• University established a “Compliance Director” (new position) • Assists in enforcing policies
20
Forming the SSN Committee…
• Chairs • Director of Information Technology Management Systems • Director of Human Resources Information • Director of Student Enterprise System
• Identified major systems using SSN
• Identified representative from each area to participate on the committee
21
The SSN Committee Mission
Identify and oversee initiatives to
protect the privacy of SSN’s
22
Initial activities of the SSN Committee…
•Defined additional systems with SSN
•Prioritized systems to be addressed
•Identified obstacles
•Established a target date to remove SSN for each system
23
Highlights of our SSN Policy
• Approved use is required
• Appropriate treatment of SSN
• Grandfathering • E.g. old record cards
• Exception Process
24
Major systems with SSN include…
• Human Resources
• Student Administration
• Alumni Relations
• Wildcard
• Bursar Check Cashing
• Housing / Food Service
• Athletics
• Student Loans
• Financial Management System
• Library • Kellogg Graduate School • Research Systems • Student Health • Parking • American Express • Labor Distribution
25
Obstacles and challenges
• Old Systems • Field Formats
• Health Care providers
• Coordination of vendor changes
• Interdependency of SSN across systems
• Resistance to change
26
Interdepencies in the use of SSN’s
Banks
Blackboard NetIDsOnlineDirectory
Wildcard
Library
RegulatoryAgencies
Alumni
Parking
Time Entry
EmployeeVerification
CUFS
BenefitVendors HRIS SES
StudentAffairs
27
Transforming People & Processes - HR
• Changed payroll and HR forms to Employee ID
• Took off SSN from Wildcard and announced the change so replacements could be issued
• Sent out notices about the danger of displaying and using SSN as identifier
• Forced Department representatives to start identifying employees by ID number
28
System Actions - HR
• Customized to mask SSNs by roles
• Tightened up security access to SSN’s
• Removed SSN’s from Queries
• SSN not displayed in self-service / electronic forms
• Removed SSN from Employee Table
• Removed / minimized SSN in interfaces
29
Transforming People & Processes - SA
• Changed from SSN to EMPLID for Student ID
• Self-Service Lookup for Student ID
• Changed forms to require new Student ID
• Removed SSN references from phone and web
30
Transforming People & Processes – SA (cont’d)
• New Student ID Cards with no SSN
• Later changed all Student ID Cards
• No verification by SSN
• Personnel changes to stop asking for SSN
31
System Actions - SA
• People/Student Data Split • Significantly limited access to People Data
• SSN Masking – few exceptions
• Removed SSN’s from Queries
• SSN not displayed in self-service
• Removed / minimized SSN in interfaces
32
System Actions - Interfaces
• Interfaces both within Northwestern Community and with outside vendors
• Do not allow transmission of SSN unless absolutely necessary
33
Interfaces – Technical Requirements
• Specific and Secure File Transfer Protocol
• Encryption
• No direct transfer into Production System
34
SSNs in Interfaces - Exceptions
We have a documented exception
policy and process if an SSN is
necessary on an interface
35
There’s more to do!
•Departmental Servers
•Local Management Information Systems
•Individual Workstations • Software package to assist
Apply and Share
Case Study > Developing an Executive Presentation
36
Title Protecting Student and Employee SSNs
Audience Executive management of a peer institution
Purpose Brief executive management about Northwestern University’s issues and remediation plan
Duration ~10 minutes
Apply and Share
Case Study > The Executive Presentation
37
Problem: Student and employee SSNs are used internally within information systems and externally on ID cards, forms, etc., for identification
Call to Action
• FERPA
• HIPPA
• Federal and state laws
• Identify theft
• Increased awareness
Challenges
• Old systems
• Health care providers
• Coordination with external vendors
• Interdependencies across systems
• Resistance to process changes
Remediation
• Institute SSN usage policy and compliance director position
• Develop alternate identifier for students and employee
• Remove or restrict access to SSNs within information systems
• Remove SSNs from forms, ID cards, and online displays
• Change business processes to not verify identity by SSN
• Utilize encryption and secure file transfer protocol when SSN transmission is required
• Launch communication and training program for community
Apply and Share
Small Group Exercise
38
Step Action
1 Divide into groups of 4 to 5
2 Choose a report, presentation, etc., to serve as the basis for an executive briefing • Copies of Harvard’s Staff Mobile Phone Policy are available as source material
3 Develop a one page executive briefing outlining the key points of your source material
4 Nominate a speaker to report your group’s results
Apply and Share
Report Out
39
Please share:
1. Concepts/tips you applied when creating your executive briefing
2. Challenges of the exercise
3. Lessons to pass along to others