Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Published byHester McKinney Modified over 8 years ago

Similar presentations

Presentation on theme: "Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005."— Presentation transcript:

1 Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005 Dave Millar, Information Security Officer Lauren Steinfeld, Chief Privacy Officer

2 2 Overview Why is Privacy Challenging in Higher Education Recent Environment Role of CPO and ISO Privacy and Security: Conflicts and Collaborations Risk Assessment Tool -- SPIA Conclusions

3 3 Why is Privacy Challenging for Higher Ed? Range and volume of personal data held: Employees Faculty Students Alumni Donors Research subjects Parents Others Vast and complex services Academic programs Patient care Research Financial aid Legal Audit Library IT Housing Dining Parking Facilities management Decentralization / distributed systems and processes Older, less manageable systems – often containing SSNs as keys to identity Open IT systems Academic Freedom Greater security risks

4 4 Recent Environment Increased regulation in privacy and security –Previously: data protection for higher ed was largely covered by FERPA –Recent regulation: HIPAA privacy and security, GLBA safeguards, FACTA, CAN SPAM, PCI Standards, and more More local data opportunities in decentralized environment –More people building their own –More independent and creative uses and sharing of data More security threats to data, systems, networks

5 5 Role of CPO Relatively new in higher ed At Penn: Housed in Office of Audit, Compliance, and Privacy (new) Official Activities –Education, Training, Awareness –Risk Assessment –Risk Remediation –Oversight and Monitoring Other functions –Championing discussion of issue –Serving as point of contact for questions / concerns –Coordinating compliance activities

6 6 Role of ISO Education, awareness, training Incident response Protecting data –Enforce existing policy – primarily by managing exceptions identified through pro-active scanning –Identify weaknesses where best practices are not being followed – e.g. password policies, patching, Windows domain administration –Bring management attention to problem areas –Advancing new security policy agendas

7 7 Examples of Recent Initiatives CPO Awareness focus: ID Theft, Records Destruction SSN Usage Survey Electronic Payments Policy Online Directory HIPAA Privacy FERPA Consent Online Security and Privacy Impact Assessments CAN SPAM Guidance FACTA compliance Incident Response Privacy Liaisons ISO Proactive Scanning Policy Work –Additional on Critical Host Policy –Host Security HIPAA Assessments and Policy Security and Privacy Impact Assessments Wired Authentication Incident Response Incident Management Reports Patch Management Campus-wide awareness

8 8 Privacy and Security: Conflicts and Collaborations Conflicts: –Wired Authentication –Electronic Monitoring –Intrusion Detection Collaborations –Awareness –SPIA –Incident Response –PCI Standards

9 9 High Impact Example: Risk Assessments – Security and Privacy Recognizes the complementary potential of the two issues Team: Security, Privacy, Audit, Business Services Draws on: –Pilot results of v1 SPIA tool –Randy Marchany’s STAR Virginia Tech model –HIPAA Security model –Audit approach

10 10 Security and Privacy Impact Assessments – Basic Approach Phase I: High Level Inventory, Prioritization / SPIA Planning –IT Director of Unit performs inventory and high-level prioritization of assets for 3 year plan for performing SPIAs –Highest priority (including “Critical Hosts” in next FY) Phase II: Actual Risk Assessment –Inventory specific assets (applications only) –For each asset Score likelihood and consequence of certain risks / threats Evaluate potential risk mitigation strategies and develop plan for such mitigation Re-assign, based on mitigation plan, likelihood and consequence of risks / threats Phase III: Reporting –IT Director? –CPO / ISO? –Source Steward(s)? (link to data stewardship) –Advisory Board?

11 11 Conclusions Close collaboration between privacy and security is very effective –Organizational independence allows us to be more effective. –We fine-tune each others’ educational materials and messages. Double the person-power reaching out to different audiences broadens impact –The issue of privacy and risks of identity theft and institutional risk bring a high level of management attention to technical lapses. –Areas of conflict are addressed in a manner that gives due attention to each of the competing interests Continued work on how to best leverage the different focus areas, backgrounds, expertise, partnerships from each office for the overall institutional benefit

Download ppt "Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005."

Similar presentations

1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Research Administration Capacity Building in an Established Institution Presenter: M.M.Aboud, MD Director of Research and Publications, MUHAS.

Research Administration Capacity Building in an Established Institution Presenter: M.M.Aboud, MD Director of Research and Publications, MUHAS.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Neighborhood Watch: University Compliance Developments related to Research Susan Rafferty, Interim Director Office of Institutional Compliance.

Neighborhood Watch: University Compliance Developments related to Research Susan Rafferty, Interim Director Office of Institutional Compliance.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.
Information & Communication Technologies 08 2014 NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

Similar presentations

Ads by Google