Data Protection in Higher Education: Recent Experiences in Privacy and Security

Institute for Computer Law and PolicyCornell University

June 29, 2005

Dave Millar, Information Security OfficerLauren Steinfeld, Chief Privacy Officer

2

Overview

• Why is Privacy Challenging in Higher Education

• Recent Environment

• Role of CPO and ISO

• Privacy and Security: Conflicts and Collaborations

• Risk Assessment Tool -- SPIA

• Conclusions

3

Why is Privacy Challenging for Higher Ed?

• Range and volume of personal data held:• Employees • Faculty• Students • Alumni• Donors • Research subjects• Parents • Others

• Vast and complex services• Academic programs • Patient care• Research • Financial aid• Legal • Audit• Library • IT• Housing • Dining• Parking • Facilities management

• Decentralization / distributed systems and processes• Older, less manageable systems – often containing SSNs as keys to

identity• Open IT systems

• Academic Freedom • Greater security risks

4

Recent Environment

• Increased regulation in privacy and security– Previously: data protection for higher ed was largely

covered by FERPA

– Recent regulation: HIPAA privacy and security, GLBA safeguards, FACTA, CAN SPAM, PCI Standards, and more

• More local data opportunities in decentralized environment– More people building their own

– More independent and creative uses and sharing of data

• More security threats to data, systems, networks

5

Role of CPO

• Relatively new in higher ed• At Penn: Housed in Office of Audit, Compliance,

and Privacy (new)• Official Activities

– Education, Training, Awareness– Risk Assessment– Risk Remediation– Oversight and Monitoring

• Other functions– Championing discussion of issue– Serving as point of contact for questions / concerns – Coordinating compliance activities

6

Role of ISO

• Education, awareness, training• Incident response• Protecting data

– Enforce existing policy – primarily by managing exceptions identified through pro-active scanning

– Identify weaknesses where best practices are not being followed – e.g. password policies, patching, Windows domain administration

– Bring management attention to problem areas

– Advancing new security policy agendas

7

Examples of Recent Initiatives

CPO• Awareness focus: ID Theft, Records

Destruction• SSN Usage Survey• Electronic Payments Policy• Online Directory• HIPAA Privacy• FERPA Consent Online• Security and Privacy Impact

Assessments• CAN SPAM Guidance• FACTA compliance• Incident Response• Privacy Liaisons

ISO• Proactive Scanning• Policy Work

– Additional on Critical Host Policy

– Host Security

• HIPAA Assessments and Policy• Security and Privacy Impact

Assessments• Wired Authentication• Incident Response• Incident Management Reports• Patch Management• Campus-wide awareness

8

Privacy and Security: Conflicts and Collaborations

• Conflicts:– Wired Authentication

– Electronic Monitoring

– Intrusion Detection

• Collaborations– Awareness

– SPIA

– Incident Response

– PCI Standards

9

High Impact Example: Risk Assessments – Security and Privacy

• Recognizes the complementary potential of the two issues

• Team: Security, Privacy, Audit, Business Services• Draws on:

– Pilot results of v1 SPIA tool– Randy Marchany’s STAR Virginia Tech model – HIPAA Security model– Audit approach

10

Security and Privacy Impact Assessments – Basic Approach

• Phase I: High Level Inventory, Prioritization / SPIA Planning– IT Director of Unit performs inventory and high-level prioritization of assets

for 3 year plan for performing SPIAs – Highest priority (including “Critical Hosts” in next FY)

• Phase II: Actual Risk Assessment– Inventory specific assets (applications only)– For each asset

• Score likelihood and consequence of certain risks / threats• Evaluate potential risk mitigation strategies and develop plan for such mitigation• Re-assign, based on mitigation plan, likelihood and consequence of risks / threats

• Phase III: Reporting– IT Director?– CPO / ISO?– Source Steward(s)? (link to data stewardship)– Advisory Board?

11

Conclusions

• Close collaboration between privacy and security is very effective– Organizational independence allows us to be more effective.– We fine-tune each others’ educational materials and messages.

• Double the person-power reaching out to different audiences broadens impact

– The issue of privacy and risks of identity theft and institutional risk bring a high level of management attention to technical lapses.

– Areas of conflict are addressed in a manner that gives due attention to each of the competing interests

• Continued work on how to best leverage the different focus areas, backgrounds, expertise, partnerships from each office for the overall institutional benefit