Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data

1. Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data Educause 2007 October 26, 2007 Maura Johnston / Assistant Privacy Officer (Audit, Compliance and Privacy) Donna Milici / Executive Director Information Technology (School of Nursing) Jim Cunningham / IT Senior Director (Information Systems and Computing)

2. Copyright Notice Copyright University of Pennsylvania, 2007. This work is the intellectual property of the University of Pennsylvania. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the University of Pennsylvania. To disseminate otherwise or to republish requires written permission from the University of Pennsylvania.

3. Lassoing the Beast • Privacy at Penn: The organization • Security and Privacy Impact Assessment (SPIA): Its genesis • The SPIA process and tool • Decisions along the way • SPIA Cohort participants report: • Information Systems and Computing • School of Nursing • Outcomes • What is next for Penn • Questions – spia@pobox.upenn.edu

4. Privacy Office, headed by Chief Privacy Officer, is part of the Office of Audit, Compliance and Privacy Leadership of many major activities, joint with Information Systems and Computing Privacy Senior Executive Committee (PSEC) – An oversight committee comprised of senior leadership in Schools and Centers. Co-chaired with Provost’s Office. Privacy Liaisons – Points of contact in 33 Schools and Centers. Specialized Committees / Teams: IT Privacy SSN Remediation SPIA Coordination Other Key Partnerships: IT Roundtable Provost’s Office Office of General Counsel Office of Human Resources Privacy at Penn: The Organization

5. Top down influence and grass roots development At Penn, environment increasingly sensitive to privacy issues SPIA Coordinating Team – OACP and ISC Risk equation: What are the problems? What are we doing right? What’s left? Volume of data (including unnecessary data) Number of people working with data Volume of rules and best practices Changing landscape Models: Federal Privacy Impact Assessment Virginia Tech STAR model Security and Privacy Impact Assessment (SPIA): Its Genesis

6. SPIA Genesis: Ideas into Implementation • SPIA took several rounds to get to today’s version • Pilot with financial services program offices – GLBA Safeguards Rule • Early Adopters/Cohort I – Six Schools and Centers • Very positive feedback; a basis for “buzz” • Using the Cohort 1 successes, we presented on the value of the program to many audiences, asking for participation in a follow-up Cohort • Cohort II launched in July: 19 schools and centers participating

7. SPIA: Process & Tool • A people process intended to: • Raise awareness deep into organizations • What confidential data exists • What systems store the data • Establish common vocabulary and common standards for assessing risks to data • Foster discussion involving IT staff, as well as the academic and administrative community • Prompt remediation of major risk areas

8. SPIA: Process & Tool • Organize your team • Develop an approach • Inventory your confidential data • Schedule risk assessments

9. SPIA: Process & Tool • Compromised by external hacker or malicious software • Intercepted in transit by unauthorized persons • Mistakenly disclosed • Knowingly or recklessly misused by staff, faculty, vendors, or temporary workforce • Physical theft • Loss of public trust over privacy • Lost or unavailable data (business discontinuity) • Conduct risk assessments • Current and Future State • Probability x Consequence Scoring • Seven Key Threats • Sixty-eight Safeguards

10. SPIA: Process & Tool • Summarize Findings: An annual executive level reporting process • Purpose: To provide a high level view of results, to better understand patterns of risk and plans to mitigate across the organization • Describe the work effort • Resources • Number of systems assessed • Findings • Greatest concerns • Successes • Improvement plans • Timelines • Budget implications • Risk reduction expected • Key Learning and Follow-up • Update on Prior Year Improvement Plans • Signed by IT Director and Senior Business Administrators

11. SPIA: Decisions Along the Way • No policy mandate to undertake SPIA (5 year organization-wide goal reported to Trustees) • No requirement within SPIA to implement controls • Requirements found in other policies, not in SPIA • Keep tool simple – • Boil it down to basics; other components optional • Keep process flexible • No requirement to keep to the threats or safeguards list for example. Excel spreadsheets easily editable. • Keep information submitted to coordinating offices to a minimum • Summary of approach (early on as QA) • Executive summary (annual report) • Implement on a cohort basis • Report to trustees regarding expectations of SPIA program

12. Participant’s Report: Information Systems and Computing • Which systems are appropriate for central IT to initiate a SPIA? • Getting organized – 14 areas within IT participated • Milestones are important to track and report progress against • How applications/databases were defined varied widely • Making it an on-going way of doing business • Planning for the next year • Adding to the inventory • New system requirements • Attention to types of data

13. Participant’s Report: School of Nursing • Engage school leaders; capitalize on funding agency requirements • Promote through existing channels; share learning • Don’t just document – question WHO has access to WHAT and WHY, and adopt practices to monitor this • Appreciate and manage the tension between need for privacy and ease of access to information • School of Nursing Highlights: • Concerns • Sustaining inventory with moving targets • Protecting mobile devices • Secure sharing of confidential data • Major “wins” • Awareness and modified behavior (ongoing) • Early success with low hanging fruit and plans for next steps • Buy-in for best practices, guidelines and policies

14. Areas of concern (examples): Protecting data on mobile devices Security of backup devices Remote desktop and other work at home methods Obscure location of unnecessarily retained, sensitive data Encryption of data in transmission and at rest Disaster recovery and testing Current successes and near future improvement plans (examples): Reduction in shadow systems Laptop security – removal of administrative privileges Complete removal of SSNs from certain applications Upgrading database versions to current, more secure Hardware firewalls in server rooms Tightening access privileges, especially temporary workers More use of automated security scanning tools and Cornell Spider tool Encrypting sensitive data at rest SPIA Sample Results as Reported by Participating Schools / Centers

15. Continued Support for Cohort 1 Avoid the “we’re done” risk Summarize outcomes for senior leadership Project Management for Cohort 2 Monthly meetings Ensure understanding of deliverables and check that they are delivered Recruiting for Cohort 3 Each year may mean less enthusiastic participation (i.e., good guys sign up first?) Maintain senior level and trustee reporting and support Integrate into ongoing business operations What is next for Penn?

16. Q&AContact Information and Resources: spia@pobox.upenn.edu Penn Privacy Web Site: www.upenn.edu/privacy Penn Security Web Site: www.upenn.edu/computing/security Copyright University of Pennsylvania, 2007