Minimizing Risk Relating to Sensitive Data

Team MembersLori Rounds - CIOAaron Brown – Network SecurityJames Beasley – Infrastructure ArchitectWendell Barbour - ConsultantTerri Jones – Faculty Senate PresidentLeanne McGiveron – Data Steward-Registrar

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Request from the Board of Trustees

a) Define elements of current structure, culture, policies and operations that create or increase the risk of breach of PII.

b) Define degree of risk and how great a priority this should be for the institution.

c) Develop a plan to minimize the risk and estimate resources required to do so.

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Policy Assumptions

University has a long standing breach notification policy in place - updated by General Counsel six months ago.

Records Retention Policy exists Data Stewardship Policy exists Data Access Policy exists Network Security Policy exists Data Privacy Policy exists Data Security Policy exists Identity Management Policy exists

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Organizational Assumptions

Decentralized IT support, administration Accountability for data does not extend

beyond Data Stewards. No university consequences exist for data

breach. Faculty and staff either do not know policies

exist, do not understand policies, and/or do not think it applies to them.

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Elements that Can Create or Increase Breach Risk Decentralized computing support and

administration. Policies developed in isolation from all

stakeholders. Lack of understanding among employees

regarding the value of sensitive and restrictive data.

Data stewards who manage individual silos of data; paper & electronic; no communication between stewards.

Individuals beyond data stewards are collecting and using sensitive/restricted data; paper & electronic

Users who share data, IDs and passwords.

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Elements that Can Create or Increase Breach Risk

Behavioral Psychology - Human Agency capacity for making choices

Lack of Data Awareness Training Plan Lack of Communication Plan Lack of Incidence Response Plan Lack of Vendor Assessment Plan Lack of Enforcement of Policies Lack of Consequences for Policy Violators Existing University Risk Management and

Crisis Management Plans do not address data Lack of Data Lifecycle

Management/Classification Plan

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Data Classification

Restricted Sensitive Public

Level of Sensitivity High / Critical High/Moderate Low

LegislationProtection by legislation; federal & state

State Breach Notification Laws

None

Reputation Risk High High/Medium Low

Data Examples FERPA, HIPPA, SSN

PII, Research data not protected by legislation; subsets of restricted data, such as birthdates, addresses, etc.

Institutional news, educational bulletins, etc.

*Adapted from Educause ‘IT Security Guide’; http://wiki.internet2.edu

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Plan to Minimize Risks

INCLUDE STAKEHOLDERS! Creation of a cross-university Breach Task Force

meets on a weekly basis (and sub-committees) Task force composed of:

Director of Risk Management CIO Faculty and staff representatives Division/Department representatives Administrative assistants representative Security Officer Behavioral Psychologist Director of Human Resources Director of Public Relations Data Stewards General Counsel

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Plan to Minimize Risks

Review of current policies on a defined cycle.

Ability to quickly develop critical issue policies that may need to by-pass normal policy-making process.

Centralized policy creation/enforcement structure.

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Plan to Minimize Risks

Make sure that Data Security Policy addresses:

Physical layer (disclosure and access) Logical layer (anti-virus, firewalls) Administrative layer (people)

Sensitive data on any electronic device or paper media, not just PCs, is at risk

Social engineering audit

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Plan to Minimize Risk – Clean Slate

DADs – Data Amnesty Day(s) with incentives!

Data audit of each user Cornell Spider – open source forensics tool Ongoing random data audits

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Plan to Minimize Risks

Existing policies have not minimized risk, what’s missing? The human factor - SDSL! Annual mandatory training and testing

for employees, including student workers Enforce existing policies Employees sign non-disclosure/ethics

agreements Consider all employees as data custodians Incident and Post-incident review process

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Incident/Post Incident Review Team

Determine data classification of disclosed data and whether data breach warrants disclosure: General counsel Data Forensics Officer Security Officer Deputy CIO Director of Risk Management

Lessons Learned – provide documented closure

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Degree of Risk

Five known breach incidents in the past ten months indicates that the University is at a high degree of risk for additional breaches.

Based upon data classification matrix, more than 5000 records of “restricted” data were compromised.

Multitude of risks possible ranging from financial (lawsuits; endowment) to loss of donors, to loss of reputation.

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Recommendations:Plan to Repair Reputation (Developed in Collaboration with Public Relations Director)

Keep entire university community appraised of efforts to minimize risk in the future.

Add employee training component to HR’s new employee orientation

Consider student and parent training at orientation.

Consider sharing progress at recruitment events.

Hold open forum for community to discuss concerns related to sensitive data.

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Resource Estimate

Consider purchase of breach insurance – fund with student technology fee.

Use existing course management system to deliver training/testing

Graduate students in the College of Education Instructional Design program develop content for training/testing

Psychology Department faculty as advisors Consider multi-mode training for different

learning styles Utilize existing resources such as campus

TV and radio stations for public service announcements

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Prioritization Recommendation

Competing and conflicting demands for limited resources.

1. Va Tech incident – life-threatening crisis notification and communication.

2. Address mold problem in residential dorms

3. Protect the University reputation by minimizing risk related to breach of sensitive personal data

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Final Thoughts

Data is a university asset, therefore…

Strategic Plan needs to include goal and objectives related to protection of sensitive and restrictive data.

It’s Not About the Bike Technology Beware of vendors! Think ‘low-tech’

solutions to problem (e.g., NASA)

2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date

Questions?