Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Slides:



Advertisements
Similar presentations
1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Research Administration Capacity Building in an Established Institution Presenter: M.M.Aboud, MD Director of Research and Publications, MUHAS.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Neighborhood Watch: University Compliance Developments related to Research Susan Rafferty, Interim Director Office of Institutional Compliance.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
Critical Infrastructure Protection and Higher Education: University of California Hazard Vulnerability Assessment Kristine Hafner University of California.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Patch Management Strategy
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.
Peer Information Security Policies: A Sampling Summer 2015.
Lassoing the Beast: How a Large Diverse University is Wrapping its Arms Around Confidential Data Educause 2007 October 26, 2007 Maura Johnston / Assistant.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Privacy and Security Risks in Higher Education
Information Security Update CTC 18 March 2015 Julianne Tolson.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Electronic Records Management: What Management Needs to Know May 2009.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Compliance Strategies for Records Management
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.
1 HIPAA: Privacy Regulations Addressing HIPAA at Harvard University Tina S. Sheldon Harvard University HIPAA Colloquium at Harvard University Cambridge,
Stanford Computer Security and You . Higher Education  Higher education environment is open, sharing, exploratory, experimental  Many information assets.
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
Eliza de Guzman HTM 520 Health Information Exchange.
Safeguarding Research Data Policy and Implementation Challenges Miguel Soldi February 24, 2006 THE UNIVERSITY OF TEXAS SYSTEM.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
STRATEGY SESSION SEPTEMBER 15, YEAR SECURITY DISCUSSION 1 NETWORK PLANNING TASK FORCE.
Working with HIT Systems
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
U.S. Department of Education Safeguarding Student Privacy Melanie Muenzer U.S. Department of Education Chief of Staff Office of Planning, Evaluation, and.
Cyber Security Management Lesson Introduction ●Understand organizational context for cyber security ●Understand the people, process and technology dimensions.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Information Technology Services Strategic Directions Approach and Proposal “Charting Our Course”
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Fiscal Year 2007 Urban Area Security Initiative Nonprofit Security Grant Program Investment Justification Questions, Criteria, and Prioritization Methodology.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Strategies in the Game of
Information Security Program
CPA Gilberto Rivera, VP Compliance and Operational Risk
ISSeG Integrated Site Security for Grids WP2 - Methodology
An Introduction to the Fairfax County Communication Strategy
An Introduction to the Fairfax County Communication Strategy
Institutional Privacy Challenges
Higher Education Privacy Update
Risk Analysis and HIPAA Security
Presentation transcript:

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005 Dave Millar, Information Security Officer Lauren Steinfeld, Chief Privacy Officer

2 Overview Why is Privacy Challenging in Higher Education Recent Environment Role of CPO and ISO Privacy and Security: Conflicts and Collaborations Risk Assessment Tool -- SPIA Conclusions

3 Why is Privacy Challenging for Higher Ed? Range and volume of personal data held: Employees Faculty Students Alumni Donors Research subjects Parents Others Vast and complex services Academic programs Patient care Research Financial aid Legal Audit Library IT Housing Dining Parking Facilities management Decentralization / distributed systems and processes Older, less manageable systems – often containing SSNs as keys to identity Open IT systems Academic Freedom Greater security risks

4 Recent Environment Increased regulation in privacy and security –Previously: data protection for higher ed was largely covered by FERPA –Recent regulation: HIPAA privacy and security, GLBA safeguards, FACTA, CAN SPAM, PCI Standards, and more More local data opportunities in decentralized environment –More people building their own –More independent and creative uses and sharing of data More security threats to data, systems, networks

5 Role of CPO Relatively new in higher ed At Penn: Housed in Office of Audit, Compliance, and Privacy (new) Official Activities –Education, Training, Awareness –Risk Assessment –Risk Remediation –Oversight and Monitoring Other functions –Championing discussion of issue –Serving as point of contact for questions / concerns –Coordinating compliance activities

6 Role of ISO Education, awareness, training Incident response Protecting data –Enforce existing policy – primarily by managing exceptions identified through pro-active scanning –Identify weaknesses where best practices are not being followed – e.g. password policies, patching, Windows domain administration –Bring management attention to problem areas –Advancing new security policy agendas

7 Examples of Recent Initiatives CPO Awareness focus: ID Theft, Records Destruction SSN Usage Survey Electronic Payments Policy Online Directory HIPAA Privacy FERPA Consent Online Security and Privacy Impact Assessments CAN SPAM Guidance FACTA compliance Incident Response Privacy Liaisons ISO Proactive Scanning Policy Work –Additional on Critical Host Policy –Host Security HIPAA Assessments and Policy Security and Privacy Impact Assessments Wired Authentication Incident Response Incident Management Reports Patch Management Campus-wide awareness

8 Privacy and Security: Conflicts and Collaborations Conflicts: –Wired Authentication –Electronic Monitoring –Intrusion Detection Collaborations –Awareness –SPIA –Incident Response –PCI Standards

9 High Impact Example: Risk Assessments – Security and Privacy Recognizes the complementary potential of the two issues Team: Security, Privacy, Audit, Business Services Draws on: –Pilot results of v1 SPIA tool –Randy Marchany’s STAR Virginia Tech model –HIPAA Security model –Audit approach

10 Security and Privacy Impact Assessments – Basic Approach Phase I: High Level Inventory, Prioritization / SPIA Planning –IT Director of Unit performs inventory and high-level prioritization of assets for 3 year plan for performing SPIAs –Highest priority (including “Critical Hosts” in next FY) Phase II: Actual Risk Assessment –Inventory specific assets (applications only) –For each asset Score likelihood and consequence of certain risks / threats Evaluate potential risk mitigation strategies and develop plan for such mitigation Re-assign, based on mitigation plan, likelihood and consequence of risks / threats Phase III: Reporting –IT Director? –CPO / ISO? –Source Steward(s)? (link to data stewardship) –Advisory Board?

11 Conclusions Close collaboration between privacy and security is very effective –Organizational independence allows us to be more effective. –We fine-tune each others’ educational materials and messages. Double the person-power reaching out to different audiences broadens impact –The issue of privacy and risks of identity theft and institutional risk bring a high level of management attention to technical lapses. –Areas of conflict are addressed in a manner that gives due attention to each of the competing interests Continued work on how to best leverage the different focus areas, backgrounds, expertise, partnerships from each office for the overall institutional benefit

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.