1 / 11

Data Protection in Higher Education: Privacy and Security Challenges

This article discusses the challenges of protecting personal data in higher education, including the range and volume of data, decentralized systems, increased regulations, and security threats. It highlights the roles of Chief Privacy Officer (CPO) and Information Security Officer (ISO) and explores conflicts and collaborations between privacy and security. The article also presents a risk assessment tool and concludes with the benefits of collaboration and leveraging each office's expertise.

calvine
Télécharger la présentation

Data Protection in Higher Education: Privacy and Security Challenges

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and PolicyCornell UniversityJune 29, 2005 Dave Millar, Information Security Officer Lauren Steinfeld, Chief Privacy Officer

  2. Overview • Why is Privacy Challenging in Higher Education • Recent Environment • Role of CPO and ISO • Privacy and Security: Conflicts and Collaborations • Risk Assessment Tool -- SPIA • Conclusions

  3. Why is Privacy Challenging for Higher Ed? • Range and volume of personal data held: • Employees • Faculty • Students • Alumni • Donors • Research subjects • Parents • Others • Vast and complex services • Academic programs • Patient care • Research • Financial aid • Legal • Audit • Library • IT • Housing • Dining • Parking • Facilities management • Decentralization / distributed systems and processes • Older, less manageable systems – often containing SSNs as keys to identity • Open IT systems • Academic Freedom • Greater security risks

  4. Recent Environment • Increased regulation in privacy and security • Previously: data protection for higher ed was largely covered by FERPA • Recent regulation: HIPAA privacy and security, GLBA safeguards, FACTA, CAN SPAM, PCI Standards, and more • More local data opportunities in decentralized environment • More people building their own • More independent and creative uses and sharing of data • More security threats to data, systems, networks

  5. Role of CPO • Relatively new in higher ed • At Penn: Housed in Office of Audit, Compliance, and Privacy (new) • Official Activities • Education, Training, Awareness • Risk Assessment • Risk Remediation • Oversight and Monitoring • Other functions • Championing discussion of issue • Serving as point of contact for questions / concerns • Coordinating compliance activities

  6. Role of ISO • Education, awareness, training • Incident response • Protecting data • Enforce existing policy – primarily by managing exceptions identified through pro-active scanning • Identify weaknesses where best practices are not being followed – e.g. password policies, patching, Windows domain administration • Bring management attention to problem areas • Advancing new security policy agendas

  7. CPO Awareness focus: ID Theft, Records Destruction SSN Usage Survey Electronic Payments Policy Online Directory HIPAA Privacy FERPA Consent Online Security and Privacy Impact Assessments CAN SPAM Guidance FACTA compliance Incident Response Privacy Liaisons ISO Proactive Scanning Policy Work Additional on Critical Host Policy Host Security HIPAA Assessments and Policy Security and Privacy Impact Assessments Wired Authentication Incident Response Incident Management Reports Patch Management Campus-wide awareness Examples of Recent Initiatives

  8. Privacy and Security: Conflicts and Collaborations • Conflicts: • Wired Authentication • Electronic Monitoring • Intrusion Detection • Collaborations • Awareness • SPIA • Incident Response • PCI Standards

  9. High Impact Example: Risk Assessments – Security and Privacy • Recognizes the complementary potential of the two issues • Team: Security, Privacy, Audit, Business Services • Draws on: • Pilot results of v1 SPIA tool • Randy Marchany’s STAR Virginia Tech model • HIPAA Security model • Audit approach

  10. Security and Privacy Impact Assessments – Basic Approach • Phase I: High Level Inventory, Prioritization / SPIA Planning • IT Director of Unit performs inventory and high-level prioritization of assets for 3 year plan for performing SPIAs • Highest priority (including “Critical Hosts” in next FY) • Phase II: Actual Risk Assessment • Inventory specific assets (applications only) • For each asset • Score likelihood and consequence of certain risks / threats • Evaluate potential risk mitigation strategies and develop plan for such mitigation • Re-assign, based on mitigation plan, likelihood and consequence of risks / threats • Phase III: Reporting • IT Director? • CPO / ISO? • Source Steward(s)? (link to data stewardship) • Advisory Board?

  11. Conclusions • Close collaboration between privacy and security is very effective • Organizational independence allows us to be more effective. • We fine-tune each others’ educational materials and messages. • Double the person-power reaching out to different audiences broadens impact • The issue of privacy and risks of identity theft and institutional risk bring a high level of management attention to technical lapses. • Areas of conflict are addressed in a manner that gives due attention to each of the competing interests • Continued work on how to best leverage the different focus areas, backgrounds, expertise, partnerships from each office for the overall institutional benefit

More Related