Education, Experience and the Disconnect Between Privacy, Security and the University
description
Transcript of Education, Experience and the Disconnect Between Privacy, Security and the University
Education, Experience and the Disconnect Between Privacy, Security and the University
Patrick Feehan, Montgomery CollegeRoss Janssen, University of MinnesotaSarah Morrow, The Pennsylvania State UniversityJane Rosenthal, The University of Kansas
October 21, 2011
UNIVERSITY OR CITY?
• What does a University really “look” like?
MISSION STATEMENTS• The University of Kansas
is committed to safeguarding all Private Information entrusted to the University by the public and members of the KU community.
• This notice describes the University’s general privacy policy as it relates to the collection, protection and disclosure of such information.
• ~https://documents.ku.edu/policies/provost/PrivacyPolicyGeneral.htm
BIG PICTURE
BUILDING
• Buildings• Acres• Multiple Campuses• Police• Health Services• Design & Construction• Facilities Operations
ATHLETICS & POLITICS
HEALTH SERVICES
FEDERAL PRIVACY LAWS
Right to Privacy 1890Brandeis & Warren
FOIA 1966 Fair Info Practice Principles 1973
Privacy Act 1974 Electronic Communication Protection Act 1986
COPPA Children’s Online Privacy Protection Act 1998
Family Educational Right & Privacy Act 1974
Gramm-Leach-Bliley 1999 Fair Credit Reporting Act
FDA Rule on Electronic Records & Signatures
CAN-SPAM 2003 FACTA Fair and Accurate C Transactions Act 2003
HIPAA Health Information Portability & Accountability Act 1996
HITECH Act 2009Health Info Tech 4 Econ & Clinical Health Act
GAPP 2006; NIST 800-53 Draft Guidance on Privacy
STATE LAWS
• Privacy of Health Info• Mental Health Laws• Drug Testing Laws• Employment Laws• Consumer Info• Breach Notification• Open Records/
Sunshine Law
POLICY
Create Use Manage TrainData Class & Handling
Email Record Retention Schedule
HIPAA Clinic/Research
Record Confidentiality
Blackboard IT Security Policy Gramm-Leach-Bliley
Roles & Responsibilities IM
Password E-Data Disposal FERPA
Systems Development
Acceptable Use Student Records Credit Card/PCI
Privacy Policy Peer-to-Peer Breach Report & Response
ID Theft Prevention
FOLLOW THE DATA
THANK YOU
Jane RosenthalUniversity of Kansas
HOW DO YOU CLOSE THE GAPS & GET THINGS DONE?
• First, identify the gaps
• Where gaps come from:
• Budget pressures• Independent decision making about technology• Changes in technology• Purchasing practices• Lack of technical, physical, and administrative
controls
HOW DO YOU CLOSE THE GAPS & GET THINGS DONE?
• Understand privacy and security needs
• Regulatory
• Contractual
• Ethical etc.
HOW DO YOU CLOSE THE GAPS & GET THINGS DONE?
Take a holistic approach
Develop and implement common:
• Policies
• Processes
• Education
POLICIES
• Translate compliance requirements into consistent policies that address areas of control
• Set the bar
• Define roles and responsibilities
• Establish auditing practices
• Define disciplinary action
PROCESSES
• Develop a governance framework and strategy that meets the goals of the organization
• Create groups that can make decisions or advise on privacy and security issues• Privacy professionals should participate on
security groups and vice versa• Privacy Committee• Security Advisory Committee• Steering Committee
PROCESSES
• Establish process to manage governance activities• risk Assessment• privacy impact• access management
• Establish physical and environmental security standards
EDUCATION
• Design and implement ongoing education programs that describe expectations for privacy and security practices that include:
• Information about the regulatory landscape• How to appropriately use deployed tech• Information about policies that set the expectation• Consequences
WHAT CAN HAPPEN IN THE GAP. . .
HOW DID THAT HAPPEN?
• A decision was made • A project got planned• Security was at the table, but Privacy was not• A GAP appeared• Suddenly 13,000 users can’t use Google,
business relationships are at risk, the University will be out of compliance
• The legacy email and calendaring systems have to stay – diminishing savings
• A new solution needs to be found
The Privacy Perspective
Sarah Morrow, Chief Privacy OfficerThe Pennsylvania State [email protected]
PRIVACY FUNCTION
Often folded into another area of responsibility• Not necessarily Security• Legal• Risk• Compliance• Often considered only related to Healthcare
No recognizable educational track available:• No IT Security pre-requisite• No HE classes per se• No prerequisites in legal, compliance or risk
Privacy Function, continued:
As a Privacy pro, how to mitigate your risk of lack of education in security:• SANs Training (work-study)• HIPAATraining.Net
• CHSE – Certified HIPAA Security Expert• CHPSE – Certified HIPAA Privacy Security
Expert• Traditional education new programs
• MBA- Information Security• MPS – Information Security/Assurance
• Campus IT training• Partner with your CISO
PRIVACY 101As a security pro-how to mitigate lack of Privacy training:
• DIY – research state and federal laws
• Rely on outside resources such as: NACUBO, NACUA & EDUCAUSE
• Rely on University Counsel
• Monitor www.PrivacyRights.org
• HIPAAtraining.Net• CHPA – Certified HIPAA Privacy Associate• CHPE – Certified HIPAA Privacy Expert• CHPSE – Certified HIPAA Privacy Security Expert
• I.A.P.P.
Privacy Training
• International Association of Privacy Professionals (I.A.P.P.)
• Certifying Body• Over 9000 members in 70 countries• Internationally recognized• Growing field of expertise
• Often certification is not a requirement in H.E.
Privacy Training, Continued:
Multiple Designations/ Specialties
• CIPP/U.S. Corporate
• CIPP/ Information Technology
• CIPP/Government
• CIPP/Canada
• CIPP/Europe (new 2012)
Two conferences annually• Regulatory based–spring, always Washington DC• Information technology based – Fall location
changes
College. Bastion of Network and Information Security.
•
Network and Information Security and Privacy Program
Information assets of Montgomery College (“College”), in all its forms and throughout its life cycle, will be protected through information management standards and actions that meet applicable federal, state, regulatory, or contractual requirements and support the college’s mission, vision, and values. It is the intent of OIT that through a layered combination of technology, standards and education the risk of attacks and incidents can be significantly reduced to a manageable level.
Security in its place at the College.
Responsive. Speaks of securing against risk. Managing risk is a fundamental requirement of Information Security.
Most of us understand risk as some basic level. We are natural risk analysts. We sense or see some threat, make a quick assessment about our vulnerability, and decide how much risk we face. Sometimes we choose to do nothing. Sometimes we act.
Earthquake X Sitting outside at a restaurant = Risk
Threat X Vulnerability = Risk
Risk = Likelihood X Impact
It can get much more
complex (ALE = SLE * ARO), with extensive calculations based upon asset value cost, exposure factor, or annualized rate of occurrence, but it is basically the same formula at its root.
Security Controls – Compensatory ControlsMitigation is the most commonly considered risk management strategy. Mitigation involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw.
The Controls we choose (counter measures or mitigation) to mitigate risk help determine the state of privacy that we have promised our clients.
Compensatory Controls – Our Link to PrivacyControls create the security system, which allow a state of privacy to exist…to an extent
Controls Are Categorized Two Ways:- Preventive – prevent the loss from occurring – segregation of duties- Detective – monitoring activity to
identify risky activities or operations.-Corrective – We restore a system or process back to a prior state - backups
There is also another way to Think of ControlsAdministrative: laws regulations, policies, practices and guidelines
Logical: virtual, application and technical controls.
Physical – video surveillance, door locks, guards, remote backup.
TechnicalSecurity
Business Associate Management
AdministrativeSecurity
Procedures, Legal Compliance
PhysicalSecurity
HIPAA COMPLIANCE
HIPAA DOES A GREAT JOB OF MAKING US THINK ABOUT CONTROLS
39
Security Management Process §164.308(a)(1)
Risk Analysis (R)Risk Management (R) Sanction Policy (R)Information System Activity Review (R)
Assigned Security Responsibility §164.308(a)(2)
No Additional Implementation Specification
Workforce Security§164.308(a)(3)
Authorization and/or Supervision (A)Workforce Clearance Procedure (A)Termination Procedures (A)
Information Access Management§164.308(a)(4)
Isolating Health Care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)
HIPAA ADMINISTRATIVE PROCEDURES
Standard Implementation Specification
40
ADMINISTRATIVE PROCEDURES (CONT’D.)
Security Awareness and Training §164.308(a)(5)
Security Reminders (A)Protection from Malicious Software (A) Log-in monitoring (A)Password Management (A)
Security Incident Procedures §164.308(a)(6)
Response and Reporting (R)
Contingency Planning§164.308(a)(7)
Data Backup Plan (R)Disaster Recovery Plan (R)Emergency Mode Operation Plan (R)Testing and Revision Procedure (A)Applications and Data Criticality Analysis (A)
Evaluation §164.308(a)(8)
No Additional Implementation Specification (R)
Business Associate Contracts and Other Arrangements
§164.308(b)(1)Written Contract or Other Arrangement (R)
Standard Implementation Specification
41
Facility Access Controls §164.310(a)(1)
Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)
Workstation Use §164.310(b)
No Additional Implementation Specification (R)
Workstation Security §164.310(c)
Device and Media Controls §164.310(d)(1)
Disposal (R)Media Re-Use (R)Accountability (A)Data Backup and Storage (A)
PHYSICAL SECURITY SAFEGUARDS
Requirement Implementation Specification
No Additional Implementation Specification (R)
42
TECHNICAL SAFEGUARDS
Access Controls §164.312(a)(1)
Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)
Audit Controls §164.312(b)
No Additional Implementation Specification (R)
Integrity §164.312(c)(1)
Mechanism to Authenticate Electronic PHI (A)
Person or Entity Authentication §164.312(d)
No Additional Implementation Specification (R)
Transmission Security §164.312(e)(1)
Integrity Controls (A)Encryption (A)
StandardImplementation
Specification
And A Shameless Plug For The Higher Education Information Security Council (HEISC) Security Guide Editorial Board
We have created a guided about the security controls required of ISO 27002, which a great security standard. https://wiki.internet2.edu/confluence/display/itsg2/Home
Access control
Asset Management
Security PolicyOrganization of
Information Security
Human Resource Security
Physical and Environmental
Security
Communications and Operations Mgt
Info Systems AcquisitionDev. & Maintenance
Info. Security Incident Management
Compliance
Information
Integrity Confidentiality
Availability
ISO 27002 - 11 Security Control Clauses
Business Continuity Management
NIST 800-53 – ANOTHER GREAT SET OF CONTROLS - AS IT NOW EXISTS
__________
NIST EFFECTIVE DECEMBER 2011
_________________
NIST PRIVACY CONTROLS – DATA GOVERNANCE/MANAGEMENT
• TR Transparency• TR-1 Privacy Notice• TR-2 Dissemination of Privacy Program
Information• IP Individual Participation and Redress• IP-1 Consent• IP-2 Access• IP-3 Redress• IP-4 Complaint Management• AP Authority and Purpose• AP-1 Authority to Collect• AP-2 Purpose Specification• DM Data Minimization and Retention• DM-1 Minimization of Personally Identifiable
Information• DM-2 Data Retention and Disposal• UL Use Limitation• UL-1 Internal Use• UL-2 Information Sharing
• UL-3 System Design and Development
• DI Data Quality and Integrity• DI-1 Data Quality• DI-2 Data Integrity• SE Security• SE-1 Inventory of Personally Identifiable
Information• SE-2 Privacy Incident Response• AR Accountability, Audit, and Risk
Management• AR-1 Governance and Privacy Program• AR-2 Privacy Impact and Risk Assessment• AR-3 Privacy Requirements for Contractors
and Service Providers• AR-4 Privacy Monitoring and Auditing• AR-5 Privacy Awareness and Training• AR-6 Privacy Reporting
Patrick J. [email protected]
THANK YOU