Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005

1
Data Protection in Higher Education Recent
Experiences in Privacy and Security Institute
for Computer Law and PolicyCornell
UniversityJune 29, 2005

• Dave Millar, Information Security Officer
• Lauren Steinfeld, Chief Privacy Officer

2
Overview

• Why is Privacy Challenging in Higher Education
• Recent Environment
• Role of CPO and ISO
• Privacy and Security Conflicts and
  Collaborations
• Risk Assessment Tool -- SPIA
• Conclusions

3
Why is Privacy Challenging for Higher Ed?

• Range and volume of personal data held
• Employees Faculty
• Students Alumni
• Donors Research subjects
• Parents Others
• Vast and complex services
• Academic programs Patient care
• Research Financial aid
• Legal Audit
• Library IT
• Housing Dining
• Parking Facilities management
• Decentralization / distributed systems and
  processes
• Older, less manageable systems often containing
  SSNs as keys to identity
• Open IT systems
• Academic Freedom Greater security risks

4
Recent Environment

• Increased regulation in privacy and security
• Previously data protection for higher ed was
  largely
• covered by FERPA
• Recent regulation HIPAA privacy and security,
  GLBA safeguards, FACTA, CAN SPAM, PCI Standards,
  and more
• More local data opportunities in decentralized
  environment
• More people building their own
• More independent and creative uses and sharing of
  data
• More security threats to data, systems, networks

5
Role of CPO

• Relatively new in higher ed
• At Penn Housed in Office of Audit, Compliance,
• and Privacy (new)
• Official Activities
• Education, Training, Awareness
• Risk Assessment
• Risk Remediation
• Oversight and Monitoring
• Other functions
• Championing discussion of issue
• Serving as point of contact for questions /
  concerns
• Coordinating compliance activities

6
Role of ISO

• Education, awareness, training
• Incident response
• Protecting data
• Enforce existing policy primarily by managing
  exceptions identified through pro-active scanning
• Identify weaknesses where best practices are not
  being followed e.g. password policies,
  patching, Windows domain administration
• Bring management attention to problem areas
• Advancing new security policy agendas

7
Examples of Recent Initiatives

• CPO
• Awareness focus ID Theft, Records Destruction
• SSN Usage Survey
• Electronic Payments Policy
• Online Directory
• HIPAA Privacy
• FERPA Consent Online
• Security and Privacy Impact Assessments
• CAN SPAM Guidance
• FACTA compliance
• Incident Response
• Privacy Liaisons

• ISO
• Proactive Scanning
• Policy Work
• Additional on Critical Host Policy
• Host Security
• HIPAA Assessments and Policy
• Security and Privacy Impact Assessments
• Wired Authentication
• Incident Response
• Incident Management Reports
• Patch Management
• Campus-wide awareness

8
Privacy and Security Conflicts and
Collaborations

• Conflicts
• Wired Authentication
• Electronic Monitoring
• Intrusion Detection
• Collaborations
• Awareness
• SPIA
• Incident Response
• PCI Standards

9
High Impact Example Risk Assessments Security
and Privacy

• Recognizes the complementary potential of the
• two issues
• Team Security, Privacy, Audit, Business
  Services
• Draws on
• Pilot results of v1 SPIA tool
• Randy Marchanys STAR Virginia Tech model
• HIPAA Security model
• Audit approach

10
Security and Privacy Impact Assessments Basic
Approach

• Phase I High Level Inventory, Prioritization /
  SPIA Planning
• IT Director of Unit performs inventory and
  high-level prioritization of assets for 3 year
  plan for performing SPIAs
• Highest priority (including Critical Hosts in
  next FY)
• Phase II Actual Risk Assessment
• Inventory specific assets (applications only)
• For each asset
• Score likelihood and consequence of certain risks
  / threats
• Evaluate potential risk mitigation strategies and
  develop plan for such mitigation
• Re-assign, based on mitigation plan, likelihood
  and consequence of risks / threats
• Phase III Reporting
• IT Director?
• CPO / ISO?
• Source Steward(s)? (link to data stewardship)
• Advisory Board?

11
Conclusions

• Close collaboration between privacy and security
  is very effective
• Organizational independence allows us to be more
  effective.
• We fine-tune each others educational materials
  and messages.
• Double the person-power reaching out to different
  audiences broadens impact
• The issue of privacy and risks of identity theft
  and institutional risk bring a high level of
  management attention to technical lapses.
• Areas of conflict are addressed in a manner that
  gives due attention to each of the competing
  interests
• Continued work on how to best leverage the
  different focus areas, backgrounds, expertise,
  partnerships from each office for the overall
  institutional benefit