Presentation on theme: "Managing Sensitive Data at Michigan State University Presentation on behalf of Controllers Office Internal Audit Libraries, Computing & Technology."— Presentation transcript:
Managing Sensitive Data at Michigan State University Presentation on behalf of Controllers Office Internal Audit Libraries, Computing & Technology
2 Agenda Definitions and principles regarding sensitive data An action plan for managing your confidential & sensitive data Current resources
4 What Constitutes Institutional Data? Any data/information the MSU workforce Collects Creates Stores Distributes Uses in the normal course of University business
5 Facets of Institutional Data FacetQuestions to ask What format is the data in?Is it electronic, like in an attachment? Paper- based? Spoken? What is the data used for?Keeping track of student grades? Employee wage changes? How sensitive is the data?Is it confidential, sensitive, or public?
6 Data Stewardship: Our Institutional & Individual Responsibilities We have legal and ethical responsibilities to protect the privacy and confidentiality of institutional data. –Legal: Comply with federal & state law, government and other regulations, MSU contracts, policies, guidelines and procedures –Ethical: Meet responsibilities to students, employees, alumni, and affiliates (clients, patients, patrons, partners, public, etc.)
7 CIA in Data Management Confidentiality –Only authorized people access the data Integrity –The data are trustworthy Availability –Use the data effectively and efficiently while safeguarding confidentiality Confidentiality vs Availability
8 Data Privacy and Security Guidelines Data are made available on a need-to-know basis Institutional data are only to be used in the context of University business Members of the workforce must understand that: –They are in a position of trust –Each individual is responsible for appropriate use and release of data
9 Degrees of Data Sensitivity Confidential –Protected by law, regulation, contract, policy, guideline Sensitive –Not disclosed without good reason due to private nature, institutional risk –Protected by procedures, practice and high ethical standards Public –Not protected and generally made publicly available
10 Degrees of Data Sensitivity (cont.) Public –Not protected, and generally made publicly available –Examples include: Directories (excluding restricted individuals and/or information) Library card catalogs Course catalogs Institutional policies
11 Degrees of Data Sensitivity (cont.) Sensitive –Not disclosed without good reason due to private nature, institutional risk, or to maintain a competitive advantage –Protected by procedures and high ethical standards –May be subject to disclosure by specific written request under the Freedom of Information Act –Includes: Employment Data –Examples: salary data, restricted directory data, employee attributes (e.g., citizenship, gender, race/ethnicity, special needs, veteran code) Other data, such as certain maps and detailed institutional accounting and budget data
12 Degrees of Data Sensitivity (cont.) Confidential –Student Records Protected by Family Educational Rights and Privacy Act Protected by University policies and guidelines –Guidelines Governing Privacy and Release of Student Records –MSU Privacy Guidelines –Personally Identifiable Financial Data, such as with financial aid and student loans Protected by Gramm-Leach-Bliley Act –Data used in identity theft Examples: name, address, date of birth, SSN, payment card numbers, bank and electronic funds transfer account numbers, and drivers license #s
13 Confidential (cont.) –Health Records Protected by Health Insurance Portability and Accountability Act –Social Security Numbers Protected by Michigan Social Security Number Act and University policy –Payment Card Data Protected by contract, PCI DSS (Payment Card Industry Data Security Standards) –Research Data Protected by federal regulations (45 CFR 46, 21 CFR 50, 21 CFR 56) and MSUs Internal Review Boards (www.humanresearch.msu.edu)www.humanresearch.msu.edu Degrees of Data Sensitivity (cont.)
14 An Action Plan Step 1: Survey Your Unit Step 2: Assess Your Risk Step 3: Mitigate Your Risk
15 Step 1: Survey Your Unit What sensitive data are being stored and why? Do you import or export sensitive data? –To or from whom, why, and is it secure? Who has access to sensitive data in your unit? What are the physical security characteristics of your system(s)? –How are your systems physically secured? –How are your paper files physically secured? How do you manage and administer your information systems?
16 Step 2: Assess Your Risk Assess each piece of data identified in Step 1 –Which law, regulation, contract, policy, or guideline applies? –What are the consequences if this piece of data is exposed? –Currently, how much risk is there that this data will be exposed? –Should mitigating this risk have a high, medium, or low priority?
17 Step 3: Mitigate Your Risk Educate security administrators and users –Understand your units need-to-know procedures –Be aware of risks and good data habits Keep your inventory current –Archive un-used data –Delete un-needed data Protect the data –Physically & digitally secure the data –Store the data in as few places as possible Test security systems and processes
18 Systems Security: Ongoing Responsibility New threats appear almost daily Therefore we must be vigilant: –Operating system exposures –Application software exposures –Network exposures
19 An Action Plan for Individuals Step 1: Survey Your Data –Survey your own electronic and paper files for sensitive data and identify problem areas Step 2: Assess Your Risk –Assess the risk involved with storing the data, the business need and how it is stored Step 3: Mitigate Your Risk –Find ways to manage the risk and take appropriate action –Personal workstation security - Anti-virus, security patches, firewall, anti-spyware
20 A Metaphor: SSN Abatement SSNs are similar to asbestos –Following industry practice, they were used everywhere for years –We now realize the dangers, so when we find them we follow a procedure: Take prompt steps to abate high-risk and/or low-value uses Institute policies; i.e. new uses of SSN are forbidden without clear justification Assess dangers and risks Determine best way to minimize risk and reduce danger
21 SSN abatement example Incident: MSUs library server suffered intrusion System housed SSNs We do not believe intruders sought or copied SSNs, but we do not know Response: –Although system was rather secure, security tightened –Firewall put in place –Summer 2005: internal processes changed so that the library server no longer houses SSNs
22 We all have roles to play in managing sensitive data
23 We all have roles to play in managing sensitive data and we need to share our ideas and concerns with each other.
24 Exposure or Intrusion – Which is which? Exposure – sensitive data that may be accessed by unauthorized individuals Intrusion – unauthorized access to a computing resource (may or may not involve sensitive data)
25 Identifying and Reporting an Incident If you arent sure if there is sensitive data being exposed, contact your IT staff immediately. If you do not have access to IT staff in your department, contact the ACNS Help Desk at (517) It is a good idea to contact LCT about a possible data exposure, ASAP.
26 When an Incident Occurs, What Happens? Unit, following internal procedures, notifies DPPS immediately ( ) –DPPS notifies LCT –DPPS wants to gather evidence that will lead to a prosecution while minimizing interruption to the business The unit, DPPS, and LCT assess the incident Systems that may have been involved may be taken for months, for the criminal investigation –Repercussions of this action can be devastating if a unit system is taken offline Normally MSU will disclose an exposure to those who might be affected –And to the public
27 Implications of a Breach of Sensitive Data Institutional and personal implications Services terminated Fines Bad press Jail time
28 Incidents at MSU Despite our best efforts… –Student PINs exposed during data transfers between business units –SSNs may have been exposed on a server at a business unit –Student SSNs, names, addresses may have been exposed on a server at an academic unit –Years of credit card transactions may have been exposed on a server at a business unit –Confidential employee information may have been exposed on servers at a business unit We are all learning
29 Were Not Alone in This There are still some schools that use SSN as a student identifier Many universities are going through this same process of identifying, managing and securing sensitive data. –Nobody has declared victory. It will take years.
30 Current Resources Look to for current resources, presentation fileshttp://lct.msu.edu/security Managing Sensitive Data Team –Diana DAngelo, University Data Resource Administrator, Assistant Director Client Advocacy Office, –Team Members Academic Computing and Network Services Administrative Information Services Client Advocacy Office Controllers Office Department of Police and Public Safety Internal Audit
31 Current Resources (cont.) Town Hall meetings –First two in October 2005 – definitions, principles, action plan, resources –Spring 2006 Town Halls will include reports from units who have implemented action plans LCTTP Technology Training –Class/workshop for end-users of data – see for registration and additional information –Infusion into relevant courses Campus Applications, Course Management, Database Management, Internet Development, Microsoft Office and Student Information Systems
32 Current Resources (cont.) Hardware repair and software reloads –Computer Repair, 505 Computer Center Anti-virus and anti-spyware software –MSU Computer Store, 110 Computer Center Network security assistance –Network Security Team, 301 Computer Center, PC/LAN Support –Implementation, security analysis, hardware and software trouble-shooting and repair –Consultation on PC and LAN implementation free of charge
33 Current Resources (cont.) Data retention and disposal –University Archives provides advice on data retention and disposal –MSU Surplus can discuss specific data disposal needs Reassigning or retiring a computer system? –If there is sensitive data on the hard drive, scrub it. –Erasing or reformatting a disk does not remove the data from the disk. –You must use special sanitizing software, or physically destroy the hard drive.
34 Current Resources (cont.) Identity Theft Partnerships in Prevention Judith Collins, Director (517) Collins, Judith M., Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees, John Wiley and Sons, Inc., 2005 Further discussion and resources as we continue to address managing sensitive data
35 Our Work Is Just Beginning Change is needed at the institutional, departmental, and individual levels –Business processes –IT systems and procedures Annual reassessments for payment cards New applications must comply with policies and regulations
36 Our challenge When we find sensitive or confidential data in our daily work, question if the use is appropriate. The answer to many of our questions is not Yes or No. Rather, it is, It depends. –Do a risk assessment and make a reasonable decision or look for an innovative solution.
37 Questions? What issues are at the top of your mind? What do you think we can do to provide better resources to address sensitive data issues?