A New Model for Managing Data Security and Privacy Data Stewardship A New Model for Managing Data Security and Privacy
About us Judith House Associate University Information Security Officer Office of Information Services Georgetown University Heidi Wachs Director of IT Policy/Privacy Officer Office of Information Services Georgetown University
About Georgetown University Private, Mid-size, ~16,000 students. Oldest Catholic & Jesuit university in U.S. Includes undergraduate, graduate and professional (Medical and Law) schools. Hybrid of centralized & distributed IT models.
“The Event” GU suffered a loss of ~38,000 unique SSNs in January 2008. Creation of Data Security Task Force to centralize and coordinate response. Decision to use the breach as impetus to focus on information security, including enhanced data stewardship model.
The Aftermath Identification of repositories of PII. Appropriate measures for protection of PII (short and long term). Development of immediately required policies. Revision of the Data Stewardship model at GU. Creation of University Reporting Center strategy. Review of all technology policies.
What do we have and where is it? Preliminary effort: Subcommittees and working groups identified ‘all’ systems and data repositories. All members of university with data repositories asked to complete a survey describing the data, its handling, protection and distribution. Over 700 separate repositories, 400 with SSNs, identified and described.
Data Stewardship Data stewardship is the architecture by which the University defines responsibility for the management and protection of its data in a manner consistent with the University’s need for access and security.
Why Do We Need a Data Stewardship Architecture? The Data Stewardship Architecture provides a framework within which the University can manage and protect data. There is a steadily increasing need to manage and control PII and other sensitive data, based on changes to law, policy, and regulations that affect the University. In view of the enhanced focus on appropriate management of security and access with regard to University data, it is critical that there exist a published and consistent structure to support these efforts.
Principles of Stewardship Data Stewardship is the responsibility of University and Campus Executive Officers. Stewardship is based on the functional area which is primarily responsible for the data, rather than by the systems where it is stored. Each item of data must have one and only one steward. Stewardship of an item of data cannot be shared.
Principles of Stewardship Cont. Specific responsibility for all data shall be defined and formally documented. Where there is crossover, the core/descriptive data is owned by the primary functional area. The transactional data itself is, or may be, owned by the “receiving” steward. Where data resides in non-enterprise systems, it falls under the stewardship of the Steward(s) whose data was used to provision the system.
Principles of Stewardship Cont. Non-enterprise data stores compiled independently fall under the stewardship of the Data Steward for the relevant functional area. Data Stewards retain responsibility for distributed data. Faculty are considered the Stewards of their research and course materials. Students are considered the Stewards of their own academic work. The term Steward as used here does not imply ownership in any legal sense, for example, as holder of a copyright or patent.
Who Stewards the Data? Data Steward University or Campus Executive Officer or the senior direct report of such an Officer, with planning and policy-level responsibilities for data in one or more functional areas, whose responsibilities include classification of data, as well as secure management of and authorization for access to data in the functional area. Stewardship Administrator Direct report of the Data Steward, who on behalf of the Data Steward assumes specific administrative duties in support of the work of data stewardship. Data User Every individual who possesses or has access to University data, either electronically or otherwise. Every individual in a stewardship role is also a data user.
What do the Data Stewards Do? Classify data under their stewardship as Confidential, Internal Use Only, or Public. Authorize and de-authorize access to data under their stewardship: Based on the principle of least privilege. In a manner that supports individual accountability for user activity. Ensuring that each authorized user has read and signed the Confidentiality Agreement.
What do the Data Stewards Do? Authorize the relevant Reporting Centers to create, distribute and dispose of data in extract form. Promote data resource management for the good of the university. Educate the user community in appropriate management of University data. Maintain a thorough understanding of the data in their functional area.
Stewardship Administrator Responsibilities Perform specific administrative functions related to data stewardship. Maintain a thorough understanding of the data in their functional area, including its appropriate classification under the University’s Information Classification Policy. Understand and ensure compliance with procedures for the protection, creation, retention, distribution and disposal of information under their stewardship, as established by the OISPO and UISO.
Data Classification Initial challenge is to identify the data to be classified by area. Begin with major enterprise system data dictionaries for the target functional area. Identify and classify the core systems data. Once the core data is defined and classified, review your inventory to identify relevant data in other repositories.
Standards for Confidential Information Information must be classified as Confidential if: Its use, storage, or distribution is governed by law, policy, or regulation. Unauthorized disclosure could result in significant legal, financial, reputational, or other adverse impact upon the University. Unauthorized release represents risk to the University.
Regulated Data Its use, storage, or distribution is governed by law or regulation: Protected by laws such as FERPA, GLBA, HIPAA/HITECH, State and Local Information Breach laws. Classified as Secret, Top Secret, or otherwise restricted by a government agency. Legally protected human resource and financial information. Legal documents.
Adverse Impact Unauthorized disclosure could result in significant legal, financial, reputational, or other adverse impact upon the University. Information for which the University is contractually obligated to maintain confidentiality. Intellectual property owned or managed by the University. Research information which may have financial or reputational impact. Donor information.
Risk to the University Unauthorized release represents risk to the University. Information which if released has the potential to compromise the physical security of the University. Building, computing, and infrastructure design information. DPS case information. System passwords, documentation, and other information which might lead to unauthorized exposure of University information.
Internal Use Only Information must be classified as Internal-Use-Only if: It is in the University’s best interest to ensure that the information is not disclosed outside the University. Contract information. Internal memos, documents, and notes. Work products not classified as Confidential.
Public Information Information must be classified as Public if: It can be freely disseminated to anyone without risk to the University. It may be published on generally available public web sites. Press releases Course schedules Event calendars Information regarding admissions requirements Information regarding academic programs
Access Authorization Access to University data is a privilege authorized by the Data Stewards. Data Steward authorization formally defines for each individual and class of individuals what University data may be accessed, viewed, modified, deleted, or reported, based on the individual’s legitimate business requirements.
Basis for Authorization The “principle of least privilege” Each individual’s privileges shall be limited to only that which is necessary for performance of the individual’s duties. “Need to know” Each individual’s access to data shall be limited to only that which is necessary for performance of the individual’s duties. The individual’s role within the organization is the key determinant for defining access.
Basis for Authorization Supportive of individual accountability for access and transactions. Contingent on the existence of a signed University Confidentiality Agreement.
University and Campus Reporting Centers PROBLEM: How can Data Stewards realistically remain accountable for distributed data? SOLUTION: University and Campus Reporting Centers Limited number of ‘data spigots’ distributing data. Formal structure provides clear accountability for uses of PII and other Confidential University Information. Tracking and auditing mechanisms in place for distributed PII.
What’s a Reporting Center? Formal organization structured for the purpose of managing the use and distribution of PII and other confidential information. Solely empowered to create data extracts and reports containing PII. Authorized by Data Stewards for extensive access to data across systems.
Purpose of University and Campus Reporting Centers Chartered to: Create and execute reports across systems and areas of stewardship. Create and execute reports requiring access to Personally Identifiable Information (PII). Create and manage data extracts. Support complex reporting requirements through in-depth knowledge of multiple domains.
Purpose of University and Campus Reporting Centers Support the work of the Data Stewards in managing the use and distribution of University data. Ensure that appropriate authorizations and controls are in place for the distribution of PII and confidential information both within the University and externally. Improve the quality of reporting throughout the University. Aggregate scarce technical resources in support of reporting.
Reporting Center Roles University or Campus Reporting Center Executive Sponsor A University or Campus Executive with functional responsibility in the areas relevant to the Reporting Center. University or Campus Reporting Center Manager Individual responsible to the Executive Sponsor for the work of a University Reporting Center, formally tasked with ensuring that the Center meets the institution’s needs for reporting on an ongoing basis. University or Campus Reporting Center Analyst Individual formally assigned to a Reporting Center and tasked with meeting the institution’s needs for reporting on an ongoing basis.
Reporting Centers and Data Stewards Significantly limits the number of sources able to extract, report, and distribute PII. Trained staff, with formal responsibility (as described in Position Descriptions) for the secure handling of PII and Confidential Information. Audit capability for distributed PII. Consolidates scarce resources. Training and Certification requirements help ensure quality control.
University and Campus Reporting Center Scope Solely authorized to produce and distribute data extracts. Data users other than Reporting Center staff are explicitly not permitted to create extracts for distribution or repurposing, or to create or maintain data stores containing Confidential information.
University and Campus Reporting Center Scope Cont. Create reports across systems and provide reporting services to multiple offices. Specifically dedicated to enterprise reporting in support of: Compliance reporting Critical processes Cross-functional processes
Implementing the Data Steward Model Gather University stakeholders (as many as you can). Find out what you have and where it is stored. Identify the categories of data for which stewards must be identified. Plan and create the necessary support for their work. Data dictionaries, classification standards, authorization procedures Engage the senior executives in each functional area to appoint appropriate stewards. Create a working group for the Data Stewards. Begin the Classification process.
Contacts Heidi Wachs, uispo@georgetown.edu Directory of IT Policy/Privacy Officer Judy House, housej@georgetown.edu Associate University Information Security Officer