Education, Experience and the Disconnect Between Privacy, Security and the University

1. Education, Experience and the Disconnect Between Privacy, Security and the University Patrick Feehan, Montgomery College Ross Janssen, University of Minnesota Sarah Morrow, The Pennsylvania State University Jane Rosenthal, The University of Kansas October 21, 2011

2. University or city? • What does a University really “look” like?

3. MISSION STATEMENTS • The University of Kansas is committed to safeguarding all Private Information entrusted to the University by the public and members of the KU community.  • This notice describes the University’s general privacy policy as it relates to the collection, protection and disclosure of such information.  • ~https://documents.ku.edu/policies/provost/PrivacyPolicyGeneral.htm

4. Big picture

5. BUILDING • Buildings • Acres • Multiple Campuses • Police • Health Services • Design & Construction • Facilities Operations

6. Athletics & POLITICS

7. Health SERVICES

8. Federal PRIVACY LAWS

9. State LawS • Privacy of Health Info • Mental Health Laws • Drug Testing Laws • Employment Laws • Consumer Info • Breach Notification • Open Records/ Sunshine Law

10. PolicY

11. Follow the Data

12. THANK YOU Jane Rosenthal University of Kansas 785-864-9528 privacy@ku.edu www.privacy.ku.edu

15. How do you close the gaps & get things done? • First, identify the gaps • Where gaps come from: • Budget pressures • Independent decision making about technology • Changes in technology • Purchasing practices • Lack of technical, physical, and administrative controls

16. How do you close the gaps & get things done? • Understand privacy and security needs • Regulatory • Contractual • Ethical etc.

17. How do you close the gaps & get things done? • Take a holistic approach • Develop and implement common: • Policies • Processes • Education

18. Policies • Translate compliance requirements into consistent policies that address areas of control • Set the bar • Define roles and responsibilities • Establish auditing practices • Define disciplinary action

19. Processes • Develop a governance framework and strategy that meets the goals of the organization • Create groups that can make decisions or advise on privacy and security issues • Privacy professionals should participate on security groups and vice versa • Privacy Committee • Security Advisory Committee • Steering Committee

20. Processes • Establish process to manage governance activities • risk Assessment • privacy impact • access management • Establish physical and environmental security standards

21. Education • Design and implement ongoing education programs that describe expectations for privacy and security practices that include: • Information about the regulatory landscape • How to appropriately use deployed tech • Information about policies that set the expectation • Consequences

22. What can happen in the gap. . .

23. How did that happen? • A decision was made • A project got planned • Security was at the table, but Privacy was not • A GAP appeared • Suddenly 13,000 users can’t use Google, business relationships are at risk, the University will be out of compliance • The legacy email and calendaring systems have to stay – diminishing savings • A new solution needs to be found

24. The Privacy PerspectiveSarah Morrow, Chief Privacy OfficerThe Pennsylvania State Universitysdm24@psu.edu

26. Privacy Function • Often folded into another area of responsibility • Not necessarily Security • Legal • Risk • Compliance • Often considered only related to Healthcare • No recognizable educational track available: • No IT Security pre-requisite • No HE classes per se • No prerequisites in legal, compliance or risk

27. Privacy Function, continued: • As a Privacy pro, how to mitigate your risk of lack of education in security: • SANs Training (work-study) • HIPAATraining.Net • CHSE – Certified HIPAA Security Expert • CHPSE – Certified HIPAA Privacy Security Expert • Traditional education new programs • MBA- Information Security • MPS – Information Security/Assurance • Campus IT training • Partner with your CISO

28. Privacy 101 • As a security pro-how to mitigate lack of Privacy training: • DIY – research state and federal laws • Rely on outside resources such as: NACUBO, NACUA & EDUCAUSE • Rely on University Counsel • Monitor www.PrivacyRights.org • HIPAAtraining.Net • CHPA – Certified HIPAA Privacy Associate • CHPE – Certified HIPAA Privacy Expert • CHPSE – Certified HIPAA Privacy Security Expert • I.A.P.P.

29. Privacy Training • International Association of Privacy Professionals (I.A.P.P.) • Certifying Body • Over 9000 members in 70 countries • Internationally recognized • Growing field of expertise • Often certification is not a requirement in H.E.

30. Privacy Training, Continued: • Multiple Designations/ Specialties • CIPP/U.S. Corporate • CIPP/ Information Technology • CIPP/Government • CIPP/Canada • CIPP/Europe (new 2012) • Two conferences annually • Regulatory based–spring, always Washington DC • Information technology based – Fall location changes

31. College. Bastion of Network and Information Security.

32. Network and Information Security and Privacy ProgramInformation assets of Montgomery College (“College”), in all its forms and throughout its life cycle, will be protected through information management standards and actions that meet applicable federal, state, regulatory, or contractual requirements and support the college’s mission, vision, and values. It is the intent of OIT that through a layered combination of technology, standards and education the risk of attacks and incidents can be significantly reduced to a manageable level.

33. Security in its place at the College. Responsive. Speaks of securing against risk. Managing risk is a fundamental requirement of Information Security. Most of us understand risk as some basic level. We are natural risk analysts. We sense or see some threat, make a quick assessment about our vulnerability, and decide how much risk we face. Sometimes we choose to do nothing. Sometimes we act.

34. Earthquake X Sitting outside at a restaurant = Risk • Threat X Vulnerability = Risk • Risk = Likelihood • X Impact • It can get much more complex (ALE = SLE * ARO), with extensive calculations based upon asset value cost, exposure factor, or annualized rate of occurrence, but it is basically the same formula at its root.

35. Security Controls – Compensatory Controls • Mitigation is the most commonly considered risk management strategy. Mitigation involves fixing the flaw or providing some type of compensatory control to reduce the likelihood or impact associated with the flaw. • The Controls we choose (counter measures or mitigation) to mitigate risk help determine the state of privacy that we have promised our clients.

36. Compensatory Controls – Our Link to Privacy • Controls create the security system, which allow a state of privacy to exist…to an extent • Controls Are Categorized Two Ways: • - Preventive – prevent the loss from occurring – segregation of duties • - Detective – monitoring activity to identify risky activities or operations. • -Corrective – We restore a system or process back to a prior state - backups

37. There is also another way to Think of Controls Administrative: laws regulations, policies, practices and guidelines Logical: virtual, application and technical controls. Physical – video surveillance, door locks, guards, remote backup.

38. HIPAA DOES a great job of making us think about controls Administrative Security Procedures, Legal Compliance Technical Security HIPAA COMPLIANCE Business Associate Management Physical Security

39. HIPAA Administrative Procedures Standard Implementation Specification Security Management Process §164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility §164.308(a)(2) No Additional Implementation Specification Workforce Security §164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Information Access Management §164.308(a)(4) Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) 39

40. Administrative Procedures (cont’d.) Standard Implementation Specification Security Reminders (A) Protection from Malicious Software (A) Log-in monitoring (A) Password Management (A) Security Awareness and Training §164.308(a)(5) Security Incident Procedures §164.308(a)(6) Response and Reporting (R) Contingency Planning §164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation §164.308(a)(8) No Additional Implementation Specification (R) Business Associate Contracts and Other Arrangements §164.308(b)(1) Written Contract or Other Arrangement (R) 40

41. Physical Security Safeguards Requirement Implementation Specification Facility Access Controls §164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use §164.310(b) No Additional Implementation Specification (R) Workstation Security §164.310(c) No Additional Implementation Specification (R) Device and Media Controls §164.310(d)(1) Disposal (R) Media Re-Use (R) Accountability (A) Data Backup and Storage (A) 41

42. Technical Safeguards Implementation Specification Standard Access Controls §164.312(a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls §164.312(b) No Additional Implementation Specification (R) Integrity §164.312(c)(1) Mechanism to Authenticate Electronic PHI (A) Person or Entity Authentication §164.312(d) No Additional Implementation Specification (R) Transmission Security §164.312(e)(1) Integrity Controls (A) Encryption (A) 42

43. And A Shameless Plug For The Higher Education Information Security Council (HEISC) Security Guide Editorial Board We have created a guided about the security controls required of ISO 27002, which a great security standard. https://wiki.internet2.edu/confluence/display/itsg2/Home

44. ISO 27002 - 11 Security Control Clauses Security Policy Compliance Organization of Information Security Business Continuity Management Asset Management Integrity Confidentiality Info. Security Incident Management Human Resource Security Information Availability Info Systems Acquisition Dev. & Maintenance Physical and Environmental Security Communications and Operations Mgt Access control

45. NIST 800-53 – Another great set of controls - as it Now Exists __________

46. NIST Effective December 2011 _________________

47. NIST Privacy Controls – Data Governance/Management • TR Transparency • TR-1 Privacy Notice • TR-2 Dissemination of Privacy Program Information • IP Individual Participation and Redress • IP-1 Consent • IP-2 Access • IP-3 Redress • IP-4 Complaint Management • AP Authority and Purpose • AP-1 Authority to Collect • AP-2 Purpose Specification • DM Data Minimization and Retention • DM-1 Minimization of Personally Identifiable Information • DM-2 Data Retention and Disposal • UL Use Limitation • UL-1 Internal Use • UL-2 Information Sharing • UL-3 System Design and Development • DI Data Quality and Integrity • DI-1 Data Quality • DI-2 Data Integrity • SE Security • SE-1 Inventory of Personally Identifiable Information • SE-2 Privacy Incident Response • AR Accountability, Audit, and Risk Management • AR-1 Governance and Privacy Program • AR-2 Privacy Impact and Risk Assessment • AR-3 Privacy Requirements for Contractors and Service Providers • AR-4 Privacy Monitoring and Auditing • AR-5 Privacy Awareness and Training • AR-6 Privacy Reporting

48. Patrick J. Feehanpatrick.feehan@montgomerycollege.edu240-567-3087

50. THANK YOU