Education, Experience and the Disconnect Between Privacy, Security and the University

Patrick Feehan, Montgomery CollegeRoss Janssen, University of MinnesotaSarah Morrow, The Pennsylvania State UniversityJane Rosenthal, The University of Kansas

October 21, 2011

UNIVERSITY OR CITY?

• What does a University really “look” like?

MISSION STATEMENTS• The University of Kansas

is committed to safeguarding all Private Information entrusted to the University by the public and members of the KU community. 

• This notice describes the University’s general privacy policy as it relates to the collection, protection and disclosure of such information. 

• ~https://documents.ku.edu/policies/provost/PrivacyPolicyGeneral.htm

BIG PICTURE

BUILDING

• Buildings• Acres• Multiple Campuses• Police• Health Services• Design & Construction• Facilities Operations

ATHLETICS & POLITICS

HEALTH SERVICES

FEDERAL PRIVACY LAWS

Right to Privacy 1890Brandeis & Warren

FOIA 1966 Fair Info Practice Principles 1973

Privacy Act 1974 Electronic Communication Protection Act 1986

COPPA Children’s Online Privacy Protection Act 1998

Family Educational Right & Privacy Act 1974

Gramm-Leach-Bliley 1999 Fair Credit Reporting Act

FDA Rule on Electronic Records & Signatures

CAN-SPAM 2003 FACTA Fair and Accurate C Transactions Act 2003

HIPAA Health Information Portability & Accountability Act 1996

HITECH Act 2009Health Info Tech 4 Econ & Clinical Health Act

GAPP 2006; NIST 800-53 Draft Guidance on Privacy

STATE LAWS

• Privacy of Health Info• Mental Health Laws• Drug Testing Laws• Employment Laws• Consumer Info• Breach Notification• Open Records/

Sunshine Law

POLICY

Create Use Manage TrainData Class & Handling

Email Record Retention Schedule

HIPAA Clinic/Research

Record Confidentiality

Blackboard IT Security Policy Gramm-Leach-Bliley

Roles & Responsibilities IM

Password E-Data Disposal FERPA

Systems Development

Acceptable Use Student Records Credit Card/PCI

Privacy Policy Peer-to-Peer Breach Report & Response

ID Theft Prevention

FOLLOW THE DATA

THANK YOU

Jane RosenthalUniversity of Kansas

785-864-9528privacy@ku.eduwww.privacy.ku.edu

HOW DO YOU CLOSE THE GAPS & GET THINGS DONE?

• First, identify the gaps

• Where gaps come from:

• Budget pressures• Independent decision making about technology• Changes in technology• Purchasing practices• Lack of technical, physical, and administrative

controls

HOW DO YOU CLOSE THE GAPS & GET THINGS DONE?

• Understand privacy and security needs

• Regulatory

• Contractual

• Ethical etc.

HOW DO YOU CLOSE THE GAPS & GET THINGS DONE?

Take a holistic approach

Develop and implement common:

• Policies

• Processes

• Education

POLICIES

• Translate compliance requirements into consistent policies that address areas of control

• Set the bar

• Define roles and responsibilities

• Establish auditing practices

• Define disciplinary action

PROCESSES

• Develop a governance framework and strategy that meets the goals of the organization

• Create groups that can make decisions or advise on privacy and security issues• Privacy professionals should participate on

security groups and vice versa• Privacy Committee• Security Advisory Committee• Steering Committee

PROCESSES

• Establish process to manage governance activities• risk Assessment• privacy impact• access management

• Establish physical and environmental security standards

EDUCATION

• Design and implement ongoing education programs that describe expectations for privacy and security practices that include:

• Information about the regulatory landscape• How to appropriately use deployed tech• Information about policies that set the expectation• Consequences

WHAT CAN HAPPEN IN THE GAP. . .

HOW DID THAT HAPPEN?

• A decision was made • A project got planned• Security was at the table, but Privacy was not• A GAP appeared• Suddenly 13,000 users can’t use Google,

business relationships are at risk, the University will be out of compliance

• The legacy email and calendaring systems have to stay – diminishing savings

• A new solution needs to be found

The Privacy Perspective

Sarah Morrow, Chief Privacy OfficerThe Pennsylvania State Universitysdm24@psu.edu

PRIVACY FUNCTION

Often folded into another area of responsibility• Not necessarily Security• Legal• Risk• Compliance• Often considered only related to Healthcare

No recognizable educational track available:• No IT Security pre-requisite• No HE classes per se• No prerequisites in legal, compliance or risk

Privacy Function, continued:

As a Privacy pro, how to mitigate your risk of lack of education in security:• SANs Training (work-study)• HIPAATraining.Net

• CHSE – Certified HIPAA Security Expert• CHPSE – Certified HIPAA Privacy Security

Expert• Traditional education new programs

• MBA- Information Security• MPS – Information Security/Assurance

• Campus IT training• Partner with your CISO

PRIVACY 101As a security pro-how to mitigate lack of Privacy training:

• DIY – research state and federal laws

• Rely on outside resources such as: NACUBO, NACUA & EDUCAUSE

• Rely on University Counsel

• Monitor www.PrivacyRights.org

• HIPAAtraining.Net• CHPA – Certified HIPAA Privacy Associate• CHPE – Certified HIPAA Privacy Expert• CHPSE – Certified HIPAA Privacy Security Expert

• I.A.P.P.

Privacy Training

• International Association of Privacy Professionals (I.A.P.P.)

• Certifying Body• Over 9000 members in 70 countries• Internationally recognized• Growing field of expertise

• Often certification is not a requirement in H.E.

Privacy Training, Continued:

Multiple Designations/ Specialties

• CIPP/U.S. Corporate

• CIPP/ Information Technology

• CIPP/Government

• CIPP/Canada

• CIPP/Europe (new 2012)

Two conferences annually• Regulatory based–spring, always Washington DC• Information technology based – Fall location

changes

College. Bastion of Network and Information Security.

•

Network and Information Security and Privacy Program

Information assets of Montgomery College (“College”), in all its forms and throughout its life cycle, will be protected through information management standards and actions that meet applicable federal, state, regulatory, or contractual requirements and support the college’s mission, vision, and values. It is the intent of OIT that through a layered combination of technology, standards and education the risk of attacks and incidents can be significantly reduced to a manageable level.

Security in its place at the College.

Responsive. Speaks of securing against risk. Managing risk is a fundamental requirement of Information Security.

Most of us understand risk as some basic level. We are natural risk analysts. We sense or see some threat, make a quick assessment about our vulnerability, and decide how much risk we face. Sometimes we choose to do nothing. Sometimes we act.

Earthquake X Sitting outside at a restaurant = Risk

Threat X Vulnerability = Risk

Risk = Likelihood X Impact

It can get much more

complex (ALE = SLE * ARO), with extensive calculations based upon asset value cost, exposure factor, or annualized rate of occurrence, but it is basically the same formula at its root.

Security Controls – Compensatory ControlsMitigation is the most commonly considered risk management strategy. Mitigation involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw.

The Controls we choose (counter measures or mitigation) to mitigate risk help determine the state of privacy that we have promised our clients.

Compensatory Controls – Our Link to PrivacyControls create the security system, which allow a state of privacy to exist…to an extent

Controls Are Categorized Two Ways:- Preventive – prevent the loss from occurring – segregation of duties- Detective – monitoring activity to

identify risky activities or operations.-Corrective – We restore a system or process back to a prior state - backups

There is also another way to Think of ControlsAdministrative: laws regulations, policies, practices and guidelines

Logical: virtual, application and technical controls.

Physical – video surveillance, door locks, guards, remote backup.

TechnicalSecurity

Business Associate Management

AdministrativeSecurity

Procedures, Legal Compliance

PhysicalSecurity

HIPAA COMPLIANCE

HIPAA DOES A GREAT JOB OF MAKING US THINK ABOUT CONTROLS

39

Security Management Process §164.308(a)(1)

Risk Analysis (R)Risk Management (R) Sanction Policy (R)Information System Activity Review (R)

Assigned Security Responsibility §164.308(a)(2)

No Additional Implementation Specification

Workforce Security§164.308(a)(3)

Authorization and/or Supervision (A)Workforce Clearance Procedure (A)Termination Procedures (A)

Information Access Management§164.308(a)(4)

Isolating Health Care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)

HIPAA ADMINISTRATIVE PROCEDURES

Standard Implementation Specification

40

ADMINISTRATIVE PROCEDURES (CONT’D.)

Security Awareness and Training §164.308(a)(5)

Security Reminders (A)Protection from Malicious Software (A) Log-in monitoring (A)Password Management (A)

Security Incident Procedures §164.308(a)(6)

Response and Reporting (R)

Contingency Planning§164.308(a)(7)

Data Backup Plan (R)Disaster Recovery Plan (R)Emergency Mode Operation Plan (R)Testing and Revision Procedure (A)Applications and Data Criticality Analysis (A)

Evaluation §164.308(a)(8)

No Additional Implementation Specification (R)

Business Associate Contracts and Other Arrangements

§164.308(b)(1)Written Contract or Other Arrangement (R)

Standard Implementation Specification

41

Facility Access Controls §164.310(a)(1)

Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)

Workstation Use §164.310(b)

No Additional Implementation Specification (R)

Workstation Security §164.310(c)

Device and Media Controls §164.310(d)(1)

Disposal (R)Media Re-Use (R)Accountability (A)Data Backup and Storage (A)

PHYSICAL SECURITY SAFEGUARDS

Requirement Implementation Specification

No Additional Implementation Specification (R)

42

TECHNICAL SAFEGUARDS

Access Controls §164.312(a)(1)

Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)

Audit Controls §164.312(b)

No Additional Implementation Specification (R)

Integrity §164.312(c)(1)

Mechanism to Authenticate Electronic PHI (A)

Person or Entity Authentication §164.312(d)

No Additional Implementation Specification (R)

Transmission Security §164.312(e)(1)

Integrity Controls (A)Encryption (A)

StandardImplementation

Specification

And A Shameless Plug For The Higher Education Information Security Council (HEISC) Security Guide Editorial Board

We have created a guided about the security controls required of ISO 27002, which a great security standard. https://wiki.internet2.edu/confluence/display/itsg2/Home

Access control

Asset Management

Security PolicyOrganization of

Information Security

Human Resource Security

Physical and Environmental

Security

Communications and Operations Mgt

Info Systems AcquisitionDev. & Maintenance

Info. Security Incident Management

Compliance

Information

Integrity Confidentiality

Availability

ISO 27002 - 11 Security Control Clauses

Business Continuity Management

NIST 800-53 – ANOTHER GREAT SET OF CONTROLS - AS IT NOW EXISTS

__________

NIST EFFECTIVE DECEMBER 2011

_________________

NIST PRIVACY CONTROLS – DATA GOVERNANCE/MANAGEMENT

• TR Transparency• TR-1 Privacy Notice• TR-2 Dissemination of Privacy Program

Information• IP Individual Participation and Redress• IP-1 Consent• IP-2 Access• IP-3 Redress• IP-4 Complaint Management• AP Authority and Purpose• AP-1 Authority to Collect• AP-2 Purpose Specification• DM Data Minimization and Retention• DM-1 Minimization of Personally Identifiable

Information• DM-2 Data Retention and Disposal• UL Use Limitation• UL-1 Internal Use• UL-2 Information Sharing

• UL-3 System Design and Development

• DI Data Quality and Integrity• DI-1 Data Quality• DI-2 Data Integrity• SE Security• SE-1 Inventory of Personally Identifiable

Information• SE-2 Privacy Incident Response• AR Accountability, Audit, and Risk

Management• AR-1 Governance and Privacy Program• AR-2 Privacy Impact and Risk Assessment• AR-3 Privacy Requirements for Contractors

and Service Providers• AR-4 Privacy Monitoring and Auditing• AR-5 Privacy Awareness and Training• AR-6 Privacy Reporting

Patrick J. Feehanpatrick.feehan@montgomerycollege.edu240-567-3087

THANK YOU