1. Minimizing Risk Relating to Sensitive Data Team Members Lori Rounds - CIO Aaron Brown – Network Security James Beasley – Infrastructure Architect Wendell Barbour - Consultant Terri Jones – Faculty Senate President Leanne McGiveron – Data Steward-Registrar

2. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Request from the Board of Trustees a) Define elements of current structure, culture, policies and operations that create or increase the risk of breach of PII. b) Define degree of risk and how great a priority this should be for the institution. c) Develop a plan to minimize the risk and estimate resources required to do so.

3. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Policy Assumptions  University has a long standing breach notification policy in place - updated by General Counsel six months ago.  Records Retention Policy exists  Data Stewardship Policy exists  Data Access Policy exists  Network Security Policy exists  Data Privacy Policy exists  Data Security Policy exists  Identity Management Policy exists

4. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Organizational Assumptions  Decentralized IT support, administration  Accountability for data does not extend beyond Data Stewards.  No university consequences exist for data breach.  Faculty and staff either do not know policies exist, do not understand policies, and/or do not think it applies to them.

5. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Elements that Can Create or Increase Breach Risk  Decentralized computing support and administration.  Policies developed in isolation from all stakeholders.  Lack of understanding among employees regarding the value of sensitive and restrictive data.  Data stewards who manage individual silos of data; paper & electronic; no communication between stewards.  Individuals beyond data stewards are collecting and using sensitive/restricted data; paper & electronic  Users who share data, IDs and passwords.

6. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Elements that Can Create or Increase Breach Risk  Behavioral Psychology - Human Agency capacity for making choices  Lack of Data Awareness Training Plan  Lack of Communication Plan  Lack of Incidence Response Plan  Lack of Vendor Assessment Plan  Lack of Enforcement of Policies  Lack of Consequences for Policy Violators  Existing University Risk Management and Crisis Management Plans do not address data  Lack of Data Lifecycle Management/Classification Plan

7. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Data Classification RestrictedSensitivePublic Level of SensitivityHigh / CriticalHigh/ModerateLow Legislation Protection by legislation; federal & state State Breach Notification Laws None Reputation RiskHighHigh/MediumLow Data ExamplesFERPA, HIPPA, SSN PII, Research data not protected by legislation; subsets of restricted data, such as birthdates, addresses, etc. Institutional news, educational bulletins, etc. *Adapted from Educause ‘IT Security Guide’; http://wiki.internet2.edu http://wiki.internet2.edu

8. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Plan to Minimize Risks  INCLUDE STAKEHOLDERS! Creation of a cross-university Breach Task Force meets on a weekly basis (and sub-committees)  Task force composed of: Director of Risk Management CIO Faculty and staff representatives Division/Department representatives Administrative assistants representative Security Officer Behavioral Psychologist Director of Human Resources Director of Public Relations Data Stewards General Counsel

9. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Plan to Minimize Risks  Review of current policies on a defined cycle.  Ability to quickly develop critical issue policies that may need to by-pass normal policy-making process.  Centralized policy creation/enforcement structure.

10. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Plan to Minimize Risks  Make sure that Data Security Policy addresses: Physical layer (disclosure and access) Logical layer (anti-virus, firewalls) Administrative layer (people)  Sensitive data on any electronic device or paper media, not just PCs, is at risk  Social engineering audit

11. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Plan to Minimize Risk – Clean Slate  DADs – Data Amnesty Day(s) with incentives!  Data audit of each user  Cornell Spider – open source forensics tool  Ongoing random data audits

12. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Plan to Minimize Risks  Existing policies have not minimized risk, what’s missing? The human factor - SDSL! Annual mandatory training and testing for employees, including student workers  Enforce existing policies  Employees sign non-disclosure/ethics agreements  Consider all employees as data custodians  Incident and Post-incident review process

13. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Incident/Post Incident Review Team  Determine data classification of disclosed data and whether data breach warrants disclosure: General counsel Data Forensics Officer Security Officer Deputy CIO Director of Risk Management  Lessons Learned – provide documented closure

14. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Degree of Risk  Five known breach incidents in the past ten months indicates that the University is at a high degree of risk for additional breaches.  Based upon data classification matrix, more than 5000 records of “restricted” data were compromised.  Multitude of risks possible ranging from financial (lawsuits; endowment) to loss of donors, to loss of reputation.

15. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Recommendations: Plan to Repair Reputation (Developed in Collaboration with Public Relations Director)  Keep entire university community appraised of efforts to minimize risk in the future.  Add employee training component to HR’s new employee orientation  Consider student and parent training at orientation.  Consider sharing progress at recruitment events.  Hold open forum for community to discuss concerns related to sensitive data.

16. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Resource Estimate  Consider purchase of breach insurance – fund with student technology fee.  Use existing course management system to deliver training/testing  Graduate students in the College of Education Instructional Design program develop content for training/testing  Psychology Department faculty as advisors  Consider multi-mode training for different learning styles  Utilize existing resources such as campus TV and radio stations for public service announcements

17. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Prioritization Recommendation Competing and conflicting demands for limited resources. 1. Va Tech incident – life-threatening crisis notification and communication. 2. Address mold problem in residential dorms 3. Protect the University reputation by minimizing risk related to breach of sensitive personal data

18. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Final Thoughts  Data is a university asset, therefore…  Strategic Plan needs to include goal and objectives related to protection of sensitive and restrictive data.  It’s Not About the Bike Technology  Beware of vendors! Think ‘low-tech’ solutions to problem (e.g., NASA)

19. 2007 Executive Leadership Seminar – Minimizing Risk Relating to Sensitive Date Questions?