Higher Education Privacy Update

Transcription

1 Higher Education Privacy Update David Lindstrom, Chief Privacy Officer The Pennsylvania State University Ross Janssen, Privacy and Security Officer University of Minnesota

2 Session Overview Higher Ed Characteristics Legal, Regulatory, and Other Reasons to Protect Data Trends The Challenges Facing Us A Couple of Approaches Questions (and Answers?)

3 Characteristics Multiple Missions Decentralization Limited or Competing Resources Culture of Independence Diverse Technical Competencies Lots of Data Big Pipes

4 How Much Data??? Typical Day: more than 100,000 individual computers are connected > 1.5 million authentication actions by 120,880 unique Access account users Doesn t include all the College and Department logins 28 February: More than 54,000 systems (of the 100,000) communicated out to the Internet More than 2,900,000 separate systems attempted to talk to Penn State from the Internet 10% of the traffic coming from the Internet to Penn State that day was blocked by filtering at the border. (In other words, it was likely hostile activity subject to very simple blocks)

5 Some Characteristics Make Us More Vulnerable: Distributed Governance Varying User Needs/User Populations Cultural Tradition of Independence Emphasis on Committees and Consensus Relatively slow-moving process facing a fast moving threat

6 Why Should Higher Ed Care? Data Integrity Intellectual Property People Place Trust in Us Impacts Reputation High Cost for Breaches US Data Protection Framework

7 We are Having Breaches Two sources with slightly different numbers, but the news isn t good: Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal data According to the Treasury Institute for Higher Education of the 321 information security breaches nationwide reported in 2006, 84 or 26% were at education institutions. This 26% share for Education is particularly disproportionate when we consider that education represents only a small percent of total payment activity nationwide. As a result, financial institutions and card issuers increasingly view education institutions as risky merchants

8 US Data Protection Framework Federal and State Laws (to name a few:) FERPA HIPAA GLBA State Notification Laws Regulations and Standards: FDA data security compliance PCI-DSS

9 Trends What s Increasing? Sophistication level of network attacks (Bots, bots and more bots) Complexity of detecting and removing residual malicious software Number of vendor security updates Mobility Laptops and PDA s connecting to uncontrolled networks and returning Amount of Data We Can Store Accountability

10 Consider This:

11 Trends: What s Decreasing Amount of time for global spread (worms) Ability to prevent intrusions at the network border Amount of time available to install vendor security updates Amount of time to detect and defeat a network-based attack Customers patience

12 Higher Ed Challenges Making improvements in a distributed environment. (Is the tail wagging the dog?) Educating our workforce and students about data security and institutional expectations (We must raise the bar).

13 Challenges (cont.) Ability to respond to new laws. Balancing security with innovation and exploration. Compliance in an academic culture Research

14 You re Going to Make Us Do What? Initial Reaction by the Governed: Like herding cats

15 Two Approaches The Penn State Information Privacy And Security Project (IPAS) The University of Minnesota s Privacy and Security Project

16 Information Privacy and Security Project Privacy and Security Assessment 2006 No lack of existing institutional policies and laws No lack of requirements for departments No lack of internal guidance No enforcement No consequences for non-compliance outside of HIPAA components

17 Proposal for a two-year project Funded and supported by the Provost and Senior Vice President for Finance and Business University-wide project with 3 internal staff reassigned First priority, Payment Card Industry, Data Security Standards verification Second priority, distributed network compliance

18 U of M: Privacy & Security Project Academic Chain of Command Policies and Procedures Funded Program Consolidated IT function Auditing and Monitoring Appropriate Sanctions in place Education and Awareness

19 U of M: Privacy & Security Project (cont.) Education and Awareness is critical Educate users about institutional expectations. Educate users about good IT practices. Enhance productivity through standard practices.

20 Future Directions/Expectations Remarkable recognition of the need for enhanced CENTRAL services Increased accountability Shift in the academic paradigm of open environment and limited central oversight (expect culture shock) Enhance similarity between administrative system controls and academic-centric data systems Increased Standardization

21 Questions?