Presentation on theme: "There’s Safety in Numbers! Barbara Dolhansky Associate Vice President, Computer & Information Services Timothy O’Rourke Vice President, Computer & Information."— Presentation transcript:
There’s Safety in Numbers! Barbara Dolhansky Associate Vice President, Computer & Information Services Timothy O’Rourke Vice President, Computer & Information Services Temple University
Identity-Theft is the fastest growing crime in America; 9.9 MILLION victims were reported last year, according to a Federal Trade Commission survey! 4/11/06 Specialty retailer Ross-Simons said a security breach detected earlier this month compromised personal information on 32,000 customers who applied for store credit cards from October 2004, when the cards were first issued, to April 4, when the problem was verified, Ross-Simons spokesman said the data that was accessed was similar to the information on any credit application, including Social Security numbers.. (Associated Press Newswires, April 13, 2006) 4/20/06. Boeing is notifying 3,600 current and former employees that their names, Social Security numbers and in some cases, addresses and phone numbers, may have been compromised after a laptop was stolen several days ago. The laptop was grabbed from a Boeing human-resources employee at an airport, said company spokesman Tim Neale.. (The Seattle Times, April 21,) The Hard Facts!
4/29/06 A Union Pacific employee’s personal computer was stolen Saturday, April 29, which contained a report with the names, Social Security numbers and birth dates of 30,000 employees at Union Pacific.. (Union Pacific Statement, May 8, 2006) 5/25/06 VyStar Credit Union announced Thursday that hackers stole VyStar member’s personal account information. 34,000 customer accounts were affected. The pilfered information includes names, addresses, social security numbers, birth dates, mother’s maiden names and addresses.. (The Florida Times-Union, May 27, 2006) 7/2006 A laptop computer containing personal information of more than 133,000 Floridians was stolen in late July from a government SUV parked in front of a popular Doral cafeteria, the U.S. Department of Transportation announced Wednesday. There is no evidence that the data have been used illegally, DOT officials stressed Wednesday in Washington and Miami.. (The Miami Herald, August 10, 2006) The Hard Facts!
2006 Disclosures of U.S. Data Incidents –At least 148 incidents have been disclosed, potentially affecting nearly 9.3 million individuals –30% of disclosures involve educational institutions; 30%, governmental or military agencies; 18%, general business; 11%, health care facilities or companies; and 11%, banking, credit or financial services entities. Since January 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges We store similar personal information as a bank and we’re easier prey than a bank! Most states enacting legislation penalizing the failure to adequately protect an individual’s privacy! The Hard Facts!
PA Senate Bill 712 Breach of Personal Information Notification Act Enacted June 20, 2006 by the PA legislature Provide notice (written, telephone or substitute) to individuals in event of security breach of personal information First name & last name linked with: –SSN –Driver’s license number or state id card –Financial account number, debit or credit card number, in combination with security code to access account information Not just about electronic data! Paper files also included in law.
Who are We? Based in Philadelphia, Temple is one of Pennsylvania’s three public research Universities, along with Pitt & Penn State The University has over 35,000 students, 16,000 annual W-2’s issued, and over 230,000 alumni –26 th largest University in the United States –6 th largest provider of professional education in the country –17 schools and colleges including schools in Law, Medicine, Pharmacy, Podiatry, & Dentistry and campuses in Tokyo, Japan, & Rome, Italy –$90 million Physicians Practice Plan –Total operating budget of $900 million Temple Health System (a wholly owned subsidiary of the University) is a $1 billion operation made up of 13 separate corporate entities and has over 5,000 employees. The University runs the HR system for the Health System.
Our Goals! Protect the personal data of our students, faculty, administrators, and alumni Increase our confidence that the personal data is adequately protected Educate / improve awareness among Temple community as to the importance of confidentiality and the personal protection of their data Keep us out of the newspapers!
Our Challenges! Many old legacy systems employed SSN as key –Student, HR, Finance –SS# key to all of our systems –Almost 1,000,000 unique SSN’s in these systems Over 25 centrally maintained ancillary systems using SSN as Key Complex web of “shadow systems” and an unknown number of Access data bases and spreadsheets throughout departments Limited resources and many other priority initiatives Delay of ERP deployment Passed policy in September 2004, with a hard deadline of September 30, 2005
The Project Barbara Dolhansky
True Confessions / Things Not to Do Don’t enlist five computing students to perform code changes…… Don’t forget your school mascot…… Don’t expect alumni to donate money to the cause……. Don’t forget to have a conversion concierge…….
Summary Task Name Estimated Hours SSN Elimination Project13,000 Project Management550 Develop Information Website20 Develop Search Screen600 Develop Potential Matches Screen600 Develop Add/Update Logic400 ISIS Modifications1,850 HRS Modifications820 FMS Modifications240 Access Card Modifications700 Snyder Reporting Modifications420 Convert Ancillary Systems840 Develop Multiple Records Process350 University Forms1,360 Conversion2,600 User Testing850 Training400 Establish Data Integrity Office400 Important >>>> It’s a Big Project! >>>> PLAN 13,000 HOURS!!!
Major Central Systems Integrated Student Information System (Records back to 1963) ID Card System Human Resource System (Records back to 1993) LDAP Directory Financial Management System (Records back to 1987) Student Recruitment Information System (SRIS)
Central Ancillary Systems Kronos Time Reporting System Undergraduate Application Website Position Control SystemGraduate Application Website Telephone BillingDocument Imaging System RMS Housing SystemMcGann Parking System Ethernet Access in Residence Halls Website QConnect Appointment System Library SystemMany Interfaces First Year Writing Program System Judicial Database System Help Desk SystemDepartmental Shadows Systems Focus Reporting System
Offices Affected Academic Computer ServicesSchools/Colleges/Campuses Computer Services Information SecuritySchool of Medicine TelecommunicationsSchool of Podiatric Medicine Document Imaging OfficeSchool of Dentistry Office of Undergraduate AdmissionsSchool of Law Graduate SchoolSchool of Pharmacy Development OfficePlanning and Policy Analysis Office of Human ResourcesInternational Programs Bursar Campus Safety Recreation Services Provost Office Student Financial ServicesLegal Counsel Academic Records OfficePrivacy Officer General AccountingInternal Audits ID Card OfficeStudent Affairs TUHS and AffiliatesParking HousingLibrary
Our Clever Nine Digit Unique Identifier “The TUid” First digit set to “9” and the last digit is check digit. Sequentially assigned from one database – automatically updates two legacy systems. Purchased NameSearch from IntelligentSearch to assist with record matching. One number assigned to an individual – used across the entire institution. Stored in systems that may have separate ID.
Policy The use of the Social Security number as a primary identifier for Temple- Related Individuals shall be avoided, except as required by law or as required by practical necessity as approved by the President or other designated University officers. The Vice President for Computer and Information Services shall develop and implement procedures for ensuring compliance. Compliance Date – September 30, 2005 ** Separate SSN procedures define guidelines for SSN handling
Components of SSN Procedures Primary Identifier Guidelines for collecting and storing List of Approved Uses of Social Security Numbers University Forms Guidelines Guidelines for Computer and Information Systems –Encryption –Display of SSN List of Social Security Number Safeguards
User Approvals Required Social Security Number Usage Request Form –System requires storage of SSN –Must be encrypted Access to Social Security Number Approval Form –Individuals viewing / updating SSN Required, promotes compliance and is audited by Internal Audits.
Extensive Training New Data Entry and Search Screens –Human Resource System –Student System –Mandatory –Conducted 6 weeks prior to conversion Adding and Searching for Individuals –Name, TUid or SSN, Birth Date, Address Authentication Procedures – “What’s your SSN.”
Temple ID Card Diamond Dollars Building access Parking privileges Library privileges Printing privileges Display TUid on Front Hologram OWLcard
Card Design Publications / Office of University Communications Presented Executive Committee – 2 Choices What is printed? Display TUid? President – Final Choice Verbiage on Reverse – University Counsel Health System Designs (JACHO standards)
Card Distribution 24,000 Returning Student ID’s produced 10,000 New Students 7,400 University Employee ID’s 7,500 Health System Employee ID’s
Card Distribution - Employees Cards Distributed to Dean & Vice Presidential Offices Employees must sign for receipt of card Signed receipt forms & unclaimed cards returned to Human Resources OWLcards cannot be mailed Returned OWLcards shredded
Card Distribution - Students Multiple distribution points – card office, large hall, campuses Students must swipe cards after pickup OWLcards cannot be mailed Professional Schools & Ancillary Campuses – return unclaimed cards to Central Office Unclaimed cards shredded
Engage support of Senior Management / an essential ingredient Tell everyone what you’re doing / communicate and publicize Seek input from those affected / involve the community Learn from other’s mistakes / talk to other Universities/Colleges Create detailed conversion test plan / down to the hour! Develop a roll back plan / mistakes do occur Change project teams members if necessary Why I Still Have My Job / Lessons Learned!
Look for the “hidden systems” / spreadsheets and files are systems Include programmers on Shadow System Team Allow plenty of lead time for ID card vendor selection & processing Help departments with their conversion process Maintain “on demand” support during implementation Send friendly reminder s to the entire community More Lessons Learned
Lingering Pains Issuing multiple TUid’s to one person Dealing with alumni who do not know TUid Cleaning historic data SSN and personal info remaining on laptops and workstations Non-supported vendor-provided systems that could not be converted Shadow systems and non-central servers