An Introduction to EDUCAUSE and the EDUCAUSE/Internet2 Security Task Force
It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program...
-
Upload
dina-butler -
Category
Documents
-
view
216 -
download
0
Transcript of It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program...
![Page 1: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/1.jpg)
It’s Past Midnight
Do you know
where your data are?
EDUCAUSE MIDWEST 2008Mary Pickering, Program Director, University Information Services, Georgetown University
Copyright Mary Pickering, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
![Page 2: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/2.jpg)
What they really fight about inside the Beltway …
Data are!
Data is!
![Page 3: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/3.jpg)
Defining the scope of the problem
A brief surveyData breaches
Regulatory implications Damage
Formal review & approval processes Information technology
![Page 4: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/4.jpg)
Contracts at Georgetown
1789-2005Decentralized, self-regulated, ‘generous’
2005-2006Formal centralized reviewProcess for additional reviewStandard Terms & ConditionsFiscal motivation primary Slow rate of acceptance
A new paradigm
![Page 5: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/5.jpg)
Regulatory responses to a brave new electronic world
40 states & District of Columbia have data breach notification laws2003 CaliforniaRange of actions Implications for universities and colleges
![Page 6: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/6.jpg)
The nature of data breaches
![Page 7: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/7.jpg)
Cause #1 - Us
Human error
Poor security practices
Failure to consider the wider picture
![Page 8: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/8.jpg)
Cause # 2 - Them
‘Joyriders’
Criminal activity
Exponential growth
![Page 9: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/9.jpg)
How do we react to this new reality?
![Page 10: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/10.jpg)
IT professionals on the front lines
Protecting against external threats Implement firewallsMonitor systems
Protecting against systemic internal risksEliminate ‘protected’ dataEnforce secure passwordsProvision encrypted laptops
![Page 11: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/11.jpg)
But what about the risks that technology can’t protect against?
![Page 12: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/12.jpg)
Risk #1 – Alpha projects
Banner –
a multi-year
complete overhaul of a core system project?
protected data integrations scale
![Page 13: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/13.jpg)
Risk #2 – Taming the beast
How about
the new
e-mail system?
high profile campus-wide outsourced
![Page 14: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/14.jpg)
Controlling risk in large scale projects
Layers of approvalDedicated project managersMultiple expert resourcesOversight committeesExtensive change control proceduresSeparation of dutiesChecks and balances
![Page 15: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/15.jpg)
Risk #3 – Stealth projects
Professor Pookie
protected datano oversightmixed
technical bag
![Page 16: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/16.jpg)
Imperfect storm at Georgetown
Human factorsTechnically sophisticated faculty member
Technical factorsSelf-managed servers
Environmental factorsLack of institutional oversightLegacy contract since mid ’80s
![Page 17: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/17.jpg)
Counting the costs
The breach41,000 clients of the Office of AgingNo criminal activity using data
The impact$300,000+ (data analysis, notification,
materials, legal counsel)200+ staff hoursLoss of productivityDamaged relationships & reputation
![Page 18: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/18.jpg)
Immediate institutional response
May 2006All contracts involving technology must be
reviewed by central IT (University Information Services)
Executive VP, General Counsel & CIO mandateEffective immediately
![Page 19: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/19.jpg)
Yikes!
What is this contract for? Vast breadth of quality & detail Lack of understanding Jumping the gun
Who are you? Widespread confusion Even wider spread displeasure
What do we do now? Definition of ‘involving technology’ Internal process, ownership & tracking Review criteria
![Page 20: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/20.jpg)
The flood of 2007
Web (45%)
Non-web (55%)
IT (10%)Contracts (1,200)
![Page 21: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/21.jpg)
Coping
1. Start with what we can control
2. Tackle what’s out of our control
3. (Re-)enforcement
![Page 22: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/22.jpg)
1. Start with what we can control
Internal process1. Log the contract
2. Assign ownership
3. Initial reviewa. Additional review
4. Record results
![Page 23: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/23.jpg)
IT contract review process
Does the contract
involve information technology?
Contract submittedto Purchasing & Contracts
Contract assigned to contract review coordinator
Contract Review Memorandum created
Initial review conducted
Contract Review Memorandum finalized
Does the contract
require specialist review?
If YESSend to UIS
If YESIf NO
Approve or reject Requirements for
approval & recommendationssent to P&C and client
Specialist assigned; review conducted
![Page 24: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/24.jpg)
Refinement
Internal processAddress bottlenecksBoilerplate language
Set expectations Initial communicationReview interviewVendor contact
Develop standardized contract review criteria
![Page 25: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/25.jpg)
Contract Review Memorandum
Serves as official recordContract details as submittedContact with departments & vendorsRequirements for executionRecommendations for project improvements
Easy comparison of contracts with similar or same vendors
Easy reference
![Page 26: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/26.jpg)
Standardized contract review criteria
What data are gathered/stored/transmitted? Where is the system or data hosted? What authentication & authorization are
involved? What access does the vendor have to
protected data? Does the system interact with other systems? Are there any regulatory implications? What policies are applicable? Is ongoing support included in the contract?
![Page 27: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/27.jpg)
Coping
1. Start with what we can control
2. Tackle what’s out of our control
3. (Re-)enforcement
![Page 28: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/28.jpg)
2. Tackle what’s out of our control
Education Develop background materials Dog and pony shows Set expectations ’Deputize’ IT partners
Intervention Act as consultants for departments Act as intermediary with vendors
Remove barriers Set minimum standards Provide standardized confidentiality addendum Provide template for Statements of Work
![Page 29: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/29.jpg)
Statement of Work template
Project details & description Nature of contracted services
Discovery/design Licensed product Application development Implementation
Scope Responsibilities Assumptions Deliverables Hosting, vendor access, support
![Page 30: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/30.jpg)
Coping
1. Start with what we can control
2. Tackle what’s out of our control
3. (Re-)enforcement
![Page 31: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/31.jpg)
3. (Re-)enforcement
Push work back on departmentsNo UIS approval
No executed contract No payment of vendor No release of work product
![Page 32: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/32.jpg)
Results
Significant reduction of review time Practice makes perfect Focusing on the priorities Less time chasing details
Informed clients Pre-reviews
Better contracts; saved money Better grasp of scope of technology initiatives
across campus Insight into typically independent sectors
![Page 33: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/33.jpg)
Why institute a formal contract review process?
Leverage existing contracts Increased security overall; protects vendors
and clients alike Speed to contract execution; prompt payment
for vendors Formal record of findings & approval
requirements & recommendations An ounce of prevention is worth a pound of
cure
![Page 34: It’s Past Midnight Do you know where your data are? EDUCAUSE MIDWEST 2008 Mary Pickering, Program Director, University Information Services, Georgetown.](https://reader030.fdocuments.us/reader030/viewer/2022032600/56649da85503460f94a9434a/html5/thumbnails/34.jpg)
Questions?
Examples: Contract Review Memorandum Template Statement of Work
For more information, feel free to contact:Mary Pickering – [email protected]