Minimizing Risk Relating to Sensitive Data Team Members Lori Rounds - CIO Aaron Brown – Network...
-
Upload
sophia-hunter -
Category
Documents
-
view
216 -
download
0
Transcript of Minimizing Risk Relating to Sensitive Data Team Members Lori Rounds - CIO Aaron Brown – Network...
Minimizing Risk Relating to Sensitive Data
Team MembersLori Rounds - CIOAaron Brown – Network SecurityJames Beasley – Infrastructure ArchitectWendell Barbour - ConsultantTerri Jones – Faculty Senate PresidentLeanne McGiveron – Data Steward-Registrar
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Request from the Board of Trustees
a) Define elements of current structure, culture, policies and operations that create or increase the risk of breach of PII.
b) Define degree of risk and how great a priority this should be for the institution.
c) Develop a plan to minimize the risk and estimate resources required to do so.
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Policy Assumptions
University has a long standing breach notification policy in place - updated by General Counsel six months ago.
Records Retention Policy exists Data Stewardship Policy exists Data Access Policy exists Network Security Policy exists Data Privacy Policy exists Data Security Policy exists Identity Management Policy exists
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Organizational Assumptions
Decentralized IT support, administration Accountability for data does not extend
beyond Data Stewards. No university consequences exist for data
breach. Faculty and staff either do not know policies
exist, do not understand policies, and/or do not think it applies to them.
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Elements that Can Create or Increase Breach Risk Decentralized computing support and
administration. Policies developed in isolation from all
stakeholders. Lack of understanding among employees
regarding the value of sensitive and restrictive data.
Data stewards who manage individual silos of data; paper & electronic; no communication between stewards.
Individuals beyond data stewards are collecting and using sensitive/restricted data; paper & electronic
Users who share data, IDs and passwords.
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Elements that Can Create or Increase Breach Risk
Behavioral Psychology - Human Agency capacity for making choices
Lack of Data Awareness Training Plan Lack of Communication Plan Lack of Incidence Response Plan Lack of Vendor Assessment Plan Lack of Enforcement of Policies Lack of Consequences for Policy Violators Existing University Risk Management and
Crisis Management Plans do not address data Lack of Data Lifecycle
Management/Classification Plan
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Data Classification
Restricted Sensitive Public
Level of Sensitivity High / Critical High/Moderate Low
LegislationProtection by legislation; federal & state
State Breach Notification Laws
None
Reputation Risk High High/Medium Low
Data Examples FERPA, HIPPA, SSN
PII, Research data not protected by legislation; subsets of restricted data, such as birthdates, addresses, etc.
Institutional news, educational bulletins, etc.
*Adapted from Educause ‘IT Security Guide’; http://wiki.internet2.edu
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Plan to Minimize Risks
INCLUDE STAKEHOLDERS! Creation of a cross-university Breach Task Force
meets on a weekly basis (and sub-committees) Task force composed of:
Director of Risk Management CIO Faculty and staff representatives Division/Department representatives Administrative assistants representative Security Officer Behavioral Psychologist Director of Human Resources Director of Public Relations Data Stewards General Counsel
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Plan to Minimize Risks
Review of current policies on a defined cycle.
Ability to quickly develop critical issue policies that may need to by-pass normal policy-making process.
Centralized policy creation/enforcement structure.
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Plan to Minimize Risks
Make sure that Data Security Policy addresses:
Physical layer (disclosure and access) Logical layer (anti-virus, firewalls) Administrative layer (people)
Sensitive data on any electronic device or paper media, not just PCs, is at risk
Social engineering audit
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Plan to Minimize Risk – Clean Slate
DADs – Data Amnesty Day(s) with incentives!
Data audit of each user Cornell Spider – open source forensics tool Ongoing random data audits
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Plan to Minimize Risks
Existing policies have not minimized risk, what’s missing? The human factor - SDSL! Annual mandatory training and testing
for employees, including student workers Enforce existing policies Employees sign non-disclosure/ethics
agreements Consider all employees as data custodians Incident and Post-incident review process
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Incident/Post Incident Review Team
Determine data classification of disclosed data and whether data breach warrants disclosure: General counsel Data Forensics Officer Security Officer Deputy CIO Director of Risk Management
Lessons Learned – provide documented closure
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Degree of Risk
Five known breach incidents in the past ten months indicates that the University is at a high degree of risk for additional breaches.
Based upon data classification matrix, more than 5000 records of “restricted” data were compromised.
Multitude of risks possible ranging from financial (lawsuits; endowment) to loss of donors, to loss of reputation.
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Recommendations:Plan to Repair Reputation (Developed in Collaboration with Public Relations Director)
Keep entire university community appraised of efforts to minimize risk in the future.
Add employee training component to HR’s new employee orientation
Consider student and parent training at orientation.
Consider sharing progress at recruitment events.
Hold open forum for community to discuss concerns related to sensitive data.
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Resource Estimate
Consider purchase of breach insurance – fund with student technology fee.
Use existing course management system to deliver training/testing
Graduate students in the College of Education Instructional Design program develop content for training/testing
Psychology Department faculty as advisors Consider multi-mode training for different
learning styles Utilize existing resources such as campus
TV and radio stations for public service announcements
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Prioritization Recommendation
Competing and conflicting demands for limited resources.
1. Va Tech incident – life-threatening crisis notification and communication.
2. Address mold problem in residential dorms
3. Protect the University reputation by minimizing risk related to breach of sensitive personal data
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Final Thoughts
Data is a university asset, therefore…
Strategic Plan needs to include goal and objectives related to protection of sensitive and restrictive data.
It’s Not About the Bike Technology Beware of vendors! Think ‘low-tech’
solutions to problem (e.g., NASA)
2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date
Questions?