Higher Education Privacy Update David Lindstrom, Chief Privacy Officer The Pennsylvania State University Ross Janssen, Privacy and Security Officer University of Minnesota
Session Overview Higher Ed Characteristics Legal, Regulatory, and Other Reasons to Protect Data Trends The Challenges Facing Us A Couple of Approaches Questions (and Answers?) - what we look like - info we use – we deal with a lot of data - culture - technical competencies Higher Ed Characteristics: Certain Characteristics of Colleges and Universities Make the Security Problem More Difficult Distributed Governance Varying User Needs/User Populations Cultural Tradition of Independence Emphasis on committees and consensus Comparatively slow-moving process facing a fast-moving threat The legal and regulatory framework - are entrusted with data - expectations
Characteristics Multiple Missions Decentralization Limited or Competing Resources Culture of Independence Diverse Technical Competencies Lots of Data – “Big Pipes”
How Much Data??? Typical Day: more than 100,000 individual computers are connected > 1.5 million authentication actions by 120,880 unique Access account users Doesn’t include all the College and Department logins 28 February: More than 54,000 systems (of the 100,000) communicated out to the Internet More than 2,900,000 separate systems attempted to “talk to” Penn State from the Internet 10% of the traffic coming from the Internet to Penn State that day was blocked by filtering at the border. (In other words, it was likely hostile activity subject to very simple blocks)
Some Characteristics Make Us More Vulnerable: Distributed Governance Varying User Needs/User Populations Cultural Tradition of Independence Emphasis on Committees and Consensus Relatively slow-moving process facing a fast moving threat
Why Should Higher Ed Care? Data Integrity Intellectual Property People Place Trust in Us Impacts Reputation High Cost for Breaches US Data Protection Framework Fed and state laws being passed in reaction to publicized data use problems Federal Laws (examples): FERPA (education data) GLBA (banking data & credit decisions) HIPAA (identifiable health information) CAN-SPAM (email communications) State Privacy and Notification Laws Regulations and Standards: FDA data security compliance e-Discovery
We are Having Breaches Two sources with slightly different numbers, but the news isn’t good: Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal data According to the Treasury Institute for Higher Education “…of the 321 information security breaches nationwide reported in 2006, 84 – or 26% – were at education institutions. This 26% share for Education is particularly disproportionate when we consider that education represents only a small percent of total payment activity nationwide. As a result, financial institutions and card issuers increasingly view education institutions as risky merchants”
US Data Protection Framework Federal and State Laws (to name a few:) FERPA HIPAA GLBA State Notification Laws Regulations and Standards: FDA data security compliance PCI-DSS Fed and state laws being passed in reaction to publicized data use problems Definitely more coming.
Trends – What’s Increasing? Sophistication level of network attacks (Bots, bots and more bots) Complexity of detecting and removing residual malicious software Number of vendor security updates Mobility Laptops and PDA’s connecting to uncontrolled networks and returning Amount of Data We Can Store Accountability Losses and Thefts
Consider This:
Trends: What’s Decreasing Amount of time for global spread (worms) Ability to prevent intrusions at the network border Amount of time available to install vendor security updates Amount of time to detect and defeat a network-based attack Customers’ patience
Higher Ed Challenges Making improvements in a distributed environment. (Is the tail wagging the dog?) Educating our workforce and students about data security and institutional expectations (We must raise the bar).
Challenges (cont.) Ability to respond to new laws. Balancing security with innovation and exploration. Compliance in an academic culture Research Faculty and staff creativity and use of powerful computer resources with limited security knowledge. Using tools with dangerous power.
You’re Going to Make Us Do What? Initial Reaction by the Governed: Like herding cats
Two Approaches The Penn State Information Privacy And Security Project (IPAS) The University of Minnesota’s Privacy and Security Project
Information Privacy and Security Project Privacy and Security Assessment 2006 No lack of existing institutional policies and laws No lack of requirements for departments No lack of internal guidance No enforcement No consequences for non-compliance outside of HIPAA components
www.ipas.psu.edu Proposal for a two-year project Funded and supported by the Provost and Senior Vice President for Finance and Business University-wide project with 3 internal staff reassigned First priority, Payment Card Industry, Data Security Standards verification Second priority, distributed network compliance
U of M: Privacy & Security Project Academic Chain of Command Policies and Procedures Funded Program Consolidated IT function Auditing and Monitoring Appropriate Sanctions in place Education and Awareness
U of M: Privacy & Security Project (cont.) Education and Awareness is critical Educate users about institutional expectations. Educate users about good IT practices. Enhance productivity through standard practices.
Future Directions/Expectations Remarkable recognition of the need for enhanced “CENTRAL” services Increased accountability Shift in the academic paradigm of open environment and limited central oversight (expect culture shock) Enhance similarity between administrative system controls and academic-centric data systems Increased Standardization
Questions? djl6@psu.edu janss006@umn.edu