Higher Education Privacy Update

1
Higher Education Privacy Update

• David Lindstrom, Chief Privacy Officer
• The Pennsylvania State University
• Ross Janssen, Privacy and Security Officer
• University of Minnesota

2
Session Overview

• Higher Ed Characteristics
• Legal, Regulatory, and Other Reasons to Protect
  Data
• Trends
• The Challenges Facing Us
• A Couple of Approaches
• Questions (and Answers?)

3
Characteristics

• Multiple Missions
• Decentralization
• Limited or Competing Resources
• Culture of Independence
• Diverse Technical Competencies
• Lots of Data Big Pipes

4
How Much Data???

• Typical Day more than 100,000 individual
  computers are connected
• gt 1.5 million authentication actions by 120,880
  unique Access account users
• Doesnt include all the College and Department
  logins
• 28 February
• More than 54,000 systems (of the 100,000)
  communicated out to the Internet
• More than 2,900,000 separate systems attempted to
  talk to Penn State from the Internet
• 10 of the traffic coming from the Internet to
  Penn State that day was blocked by filtering at
  the border. (In other words, it was likely
  hostile activity subject to very simple blocks)

5
Some Characteristics Make Us More Vulnerable

• Distributed Governance
• Varying User Needs/User Populations
• Cultural Tradition of Independence
• Emphasis on Committees and Consensus
• Relatively slow-moving process facing a fast
  moving threat

6
Why Should Higher Ed Care?

• Data Integrity
• Intellectual Property
• People Place Trust in Us
• Impacts Reputation
• High Cost for Breaches
• US Data Protection Framework

7
We are Having Breaches

• Two sources with slightly different numbers, but
  the news isnt good
• Educational institutions accounted for over 50 of
  the more than 300 major data breaches in 2006,
  according to the Privacy Rights Clearinghouse,
  exposing Social Security numbers, bank account
  information and other sensitive personal data
• According to the Treasury Institute for Higher
  Education of the 321 information security
  breaches nationwide reported in 2006, 84 or 26
  were at education institutions. This 26 share
  for Education is particularly disproportionate
  when we consider that education represents only a
  small percent of total payment activity
  nationwide. As a result, financial institutions
  and card issuers increasingly view education
  institutions as risky merchants

8
US Data Protection Framework

• Federal and State Laws (to name a few)
• FERPA
• HIPAA
• GLBA
• State Notification Laws
• Regulations and Standards
• FDA data security compliance
• PCI-DSS

9
Trends Whats Increasing?

• Sophistication level of network attacks (Bots,
  bots and more bots)
• Complexity of detecting and removing residual
  malicious software
• Number of vendor security updates
• Mobility
• Laptops and PDAs connecting to uncontrolled
  networks and returning
• Amount of Data We Can Store
• Accountability

10
Consider This
11
Trends Whats Decreasing

• Amount of time for global spread (worms)
• Ability to prevent intrusions at the network
  border
• Amount of time available to install vendor
  security updates
• Amount of time to detect and defeat a
  network-based attack
• Customers patience

12
Higher Ed Challenges

• Making improvements in a distributed environment.
  (Is the tail wagging the dog?)
• Educating our workforce and students about data
  security and institutional expectations (We must
  raise the bar).

13
Challenges (cont.)

• Ability to respond to new laws.
• Balancing security with innovation and
  exploration.
• Compliance in an academic culture
• Research

14
Youre Going to Make Us Do What?

• Initial Reaction by the Governed

Like herding cats
15
Two Approaches

• The Penn State Information Privacy And Security
  Project (IPAS)
• The University of Minnesotas Privacy and
  Security Project

16
Information Privacy and Security Project

• Privacy and Security Assessment 2006
• No lack of existing institutional policies and
  laws
• No lack of requirements for departments
• No lack of internal guidance
• No enforcement
• No consequences for non-compliance outside of
  HIPAA components

17
www.ipas.psu.edu

• Proposal for a two-year project
• Funded and supported by the Provost and Senior
  Vice President for Finance and Business
• University-wide project with 3 internal staff
  reassigned
• First priority, Payment Card Industry, Data
  Security Standards verification
• Second priority, distributed network compliance

18
U of M Privacy Security Project

• Academic Chain of Command
• Policies and Procedures
• Funded Program
• Consolidated IT function
• Auditing and Monitoring
• Appropriate Sanctions in place
• Education and Awareness

19
U of MPrivacy Security Project (cont.)

• Education and Awareness is critical
• Educate users about institutional expectations.
• Educate users about good IT practices.
• Enhance productivity through standard practices.

20
Future Directions/Expectations

• Remarkable recognition of the need for enhanced
  CENTRAL services
• Increased accountability
• Shift in the academic paradigm of open
  environment and limited central oversight (expect
  culture shock)
• Enhance similarity between administrative system
  controls and academic-centric data systems
• Increased Standardization

21
Questions?
djl6_at_psu.edu
janss006_at_umn.edu