Presentation is loading. Please wait.

Presentation is loading. Please wait.

Higher Education Privacy Update

Published byPamela Powell Modified over 5 years ago

Similar presentations

Presentation on theme: "Higher Education Privacy Update"— Presentation transcript:

1 Higher Education Privacy Update
David Lindstrom, Chief Privacy Officer The Pennsylvania State University Ross Janssen, Privacy and Security Officer University of Minnesota

2 Session Overview Higher Ed Characteristics
Legal, Regulatory, and Other Reasons to Protect Data Trends The Challenges Facing Us A Couple of Approaches Questions (and Answers?) - what we look like - info we use – we deal with a lot of data - culture - technical competencies Higher Ed Characteristics: Certain Characteristics of Colleges and Universities Make the Security Problem More Difficult Distributed Governance Varying User Needs/User Populations Cultural Tradition of Independence Emphasis on committees and consensus Comparatively slow-moving process facing a fast-moving threat The legal and regulatory framework - are entrusted with data - expectations

3 Characteristics Multiple Missions Decentralization
Limited or Competing Resources Culture of Independence Diverse Technical Competencies Lots of Data – “Big Pipes”

4 How Much Data??? Typical Day: more than 100,000 individual computers are connected > 1.5 million authentication actions by 120,880 unique Access account users Doesn’t include all the College and Department logins 28 February: More than 54,000 systems (of the 100,000) communicated out to the Internet More than 2,900,000 separate systems attempted to “talk to” Penn State from the Internet 10% of the traffic coming from the Internet to Penn State that day was blocked by filtering at the border. (In other words, it was likely hostile activity subject to very simple blocks)

5 Some Characteristics Make Us More Vulnerable:
Distributed Governance Varying User Needs/User Populations Cultural Tradition of Independence Emphasis on Committees and Consensus Relatively slow-moving process facing a fast moving threat

6 Why Should Higher Ed Care?
Data Integrity Intellectual Property People Place Trust in Us Impacts Reputation High Cost for Breaches US Data Protection Framework Fed and state laws being passed in reaction to publicized data use problems Federal Laws (examples): FERPA (education data) GLBA (banking data & credit decisions) HIPAA (identifiable health information) CAN-SPAM ( communications) State Privacy and Notification Laws Regulations and Standards: FDA data security compliance e-Discovery

7 We are Having Breaches Two sources with slightly different numbers, but the news isn’t good: Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal data According to the Treasury Institute for Higher Education “…of the 321 information security breaches nationwide reported in 2006, 84 – or 26% – were at education institutions. This 26% share for Education is particularly disproportionate when we consider that education represents only a small percent of total payment activity nationwide. As a result, financial institutions and card issuers increasingly view education institutions as risky merchants”

8 US Data Protection Framework
Federal and State Laws (to name a few:) FERPA HIPAA GLBA State Notification Laws Regulations and Standards: FDA data security compliance PCI-DSS Fed and state laws being passed in reaction to publicized data use problems Definitely more coming.

9 Trends – What’s Increasing?
Sophistication level of network attacks (Bots, bots and more bots) Complexity of detecting and removing residual malicious software Number of vendor security updates Mobility Laptops and PDA’s connecting to uncontrolled networks and returning Amount of Data We Can Store Accountability Losses and Thefts

10 Consider This:

11 Trends: What’s Decreasing
Amount of time for global spread (worms) Ability to prevent intrusions at the network border Amount of time available to install vendor security updates Amount of time to detect and defeat a network-based attack Customers’ patience

12 Higher Ed Challenges Making improvements in a distributed environment. (Is the tail wagging the dog?) Educating our workforce and students about data security and institutional expectations (We must raise the bar).

13 Challenges (cont.) Ability to respond to new laws.
Balancing security with innovation and exploration. Compliance in an academic culture Research Faculty and staff creativity and use of powerful computer resources with limited security knowledge. Using tools with dangerous power.

14 You’re Going to Make Us Do What?
Initial Reaction by the Governed: Like herding cats

15 Two Approaches The Penn State Information Privacy And Security Project (IPAS) The University of Minnesota’s Privacy and Security Project

16 Information Privacy and Security Project
Privacy and Security Assessment 2006 No lack of existing institutional policies and laws No lack of requirements for departments No lack of internal guidance No enforcement No consequences for non-compliance outside of HIPAA components

17 www.ipas.psu.edu Proposal for a two-year project
Funded and supported by the Provost and Senior Vice President for Finance and Business University-wide project with 3 internal staff reassigned First priority, Payment Card Industry, Data Security Standards verification Second priority, distributed network compliance

18 U of M: Privacy & Security Project
Academic Chain of Command Policies and Procedures Funded Program Consolidated IT function Auditing and Monitoring Appropriate Sanctions in place Education and Awareness

19 U of M: Privacy & Security Project (cont.)
Education and Awareness is critical Educate users about institutional expectations. Educate users about good IT practices. Enhance productivity through standard practices.

20 Future Directions/Expectations
Remarkable recognition of the need for enhanced “CENTRAL” services Increased accountability Shift in the academic paradigm of open environment and limited central oversight (expect culture shock) Enhance similarity between administrative system controls and academic-centric data systems Increased Standardization

21 Questions?

Download ppt "Higher Education Privacy Update"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Herding Cats and Campuses: Addressing Distributed Security and Compliance Issues Educause Security Professionals Conference - April, 2007 Kathy Kimball.

Herding Cats and Campuses: Addressing Distributed Security and Compliance Issues Educause Security Professionals Conference - April, 2007 Kathy Kimball.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?

Data Security At Cornell Steve Schuster. Questions I’d like to Answer ► Why do we care about data security? ► What are our biggest challenges at Cornell?
1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, 2004. This work is the intellectual property.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.

© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.

Accessibility, Integrity, & Confidentiality: Security Challenges for E-Business Rodney J. Petersen University of Maryland & Educause/Internet2 Security.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Similar presentations

Ads by Google