1 / 21

Higher Education Privacy Update

Higher Education Privacy Update. David Lindstrom, Chief Privacy Officer The Pennsylvania State University Ross Janssen, Privacy and Security Officer University of Minnesota . Session Overview. Higher Ed Characteristics Legal, Regulatory, and Other Reasons to Protect Data Trends

calida
Download Presentation

Higher Education Privacy Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Higher Education Privacy Update David Lindstrom, Chief Privacy Officer The Pennsylvania State University Ross Janssen, Privacy and Security Officer University of Minnesota

  2. Session Overview • Higher Ed Characteristics • Legal, Regulatory, and Other Reasons to Protect Data • Trends • The Challenges Facing Us • A Couple of Approaches • Questions (and Answers?)

  3. Characteristics • Multiple Missions • Decentralization • Limited or Competing Resources • Culture of Independence • Diverse Technical Competencies • Lots of Data – “Big Pipes”

  4. How Much Data??? • Typical Day: more than 100,000 individual computers are connected • > 1.5 million authentication actions by 120,880 unique Access account users • Doesn’t include all the College and Department logins • 28 February: • More than 54,000 systems (of the 100,000) communicated out to the Internet • More than 2,900,000 separate systems attempted to “talk to” Penn State from the Internet • 10% of the traffic coming from the Internet to Penn State that day was blocked by filtering at the border. (In other words, it was likely hostile activity subject to very simple blocks)

  5. Some Characteristics Make Us More Vulnerable: • Distributed Governance • Varying User Needs/User Populations • Cultural Tradition of Independence • Emphasis on Committees and Consensus • Relatively slow-moving process facing a fast moving threat

  6. Why Should Higher Ed Care? • Data Integrity • Intellectual Property • People Place Trust in Us • Impacts Reputation • High Cost for Breaches • US Data Protection Framework

  7. We are Having Breaches • Two sources with slightly different numbers, but the news isn’t good: • Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal data • According to the Treasury Institute for Higher Education “…of the 321 information security breaches nationwide reported in 2006, 84 – or 26% – were at education institutions. This 26% share for Education is particularly disproportionate when we consider that education represents only a small percent of total payment activity nationwide. As a result, financial institutions and card issuers increasingly view education institutions as risky merchants”

  8. US Data Protection Framework • Federal and State Laws (to name a few:) • FERPA • HIPAA • GLBA • State Notification Laws • Regulations and Standards: • FDA data security compliance • PCI-DSS

  9. Trends – What’s Increasing? • Sophistication level of network attacks (Bots, bots and more bots) • Complexity of detecting and removing residual malicious software • Number of vendor security updates • Mobility • Laptops and PDA’s connecting to uncontrolled networks and returning • Amount of Data We Can Store • Accountability

  10. Consider This:

  11. Trends: What’s Decreasing • Amount of time for global spread (worms) • Ability to prevent intrusions at the network border • Amount of time available to install vendor security updates • Amount of time to detect and defeat a network-based attack • Customers’ patience

  12. Higher Ed Challenges • Making improvements in a distributed environment. (Is the tail wagging the dog?) • Educating our workforce and students about data security and institutional expectations (We must raise the bar).

  13. Challenges (cont.) • Ability to respond to new laws. • Balancing security with innovation and exploration. • Compliance in an academic culture • Research

  14. You’re Going to Make Us Do What? • Initial Reaction by the Governed: Like herding cats

  15. Two Approaches • The Penn State Information Privacy And Security Project (IPAS) • The University of Minnesota’s Privacy and Security Project

  16. Information Privacy and Security Project • Privacy and Security Assessment 2006 • No lack of existing institutional policies and laws • No lack of requirements for departments • No lack of internal guidance • No enforcement • No consequences for non-compliance outside of HIPAA components

  17. www.ipas.psu.edu • Proposal for a two-year project • Funded and supported by the Provost and Senior Vice President for Finance and Business • University-wide project with 3 internal staff reassigned • First priority, Payment Card Industry, Data Security Standards verification • Second priority, distributed network compliance

  18. U of M: Privacy & Security Project • Academic Chain of Command • Policies and Procedures • Funded Program • Consolidated IT function • Auditing and Monitoring • Appropriate Sanctions in place • Education and Awareness

  19. U of M:Privacy & Security Project (cont.) • Education and Awareness is critical • Educate users about institutional expectations. • Educate users about good IT practices. • Enhance productivity through standard practices.

  20. Future Directions/Expectations • Remarkable recognition of the need for enhanced “CENTRAL” services • Increased accountability • Shift in the academic paradigm of open environment and limited central oversight (expect culture shock) • Enhance similarity between administrative system controls and academic-centric data systems • Increased Standardization

  21. Questions? djl6@psu.edu janss006@umn.edu

More Related