6/2/2015 Data Classification Standard & Data Management Procedures By: John L. Baines Leo Howell Jeff Webster
6/2/2015DCS & DMP 2 Introduction InformationTHE Information is THE primary asset at the University Securitycustody Security & custody are now both strong issues Pressgovernance Press & governance showing increased attention University reputation The University reputation is at stake
6/2/2015DCS & DMP 3 Increasingly Complicated Compliance Constraints StatuteType of requirementUniversity data Example location FERPAFederal lawStudent records Faculty PC or server HIPAAFederal lawHealth recordsAthletics dept. GLBAFederal lawFinancial dataFinancial Aid PCI DSSPayment Card Industry - Data Security Std. Credit card data Bookstore server SB 1048State Identity Theft lawSSN, etc.R & R State Employee Personal Information Privacy law Staff dataPayroll Federal Grants Contract requirementsResearch materials Lab PC
6/2/2015DCS & DMP 4 Reported in an Athens News article Hackers gained access to personal data Including SSNs of 200,000 students and alumni Multiple incidents More than $77,000 spent sending letters Blow to alumni goodwill A number of writers to the University have expressed –Anger –Frustration –Reluctance to donate any more money to OU –Requested bill for time –Questions about competence & integrity –Threat of class-action lawsuits! Ohio University
6/2/2015DCS & DMP 5 Educational Institutes Seen as Easy Marks Los Angeles Times article - May 30, 2006 ‘Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.’ ‘we were adding on another university every week to look into’ - Michael C. Zweiback, assistant U.S. attorney
6/2/2015DCS & DMP 6 Technology Makes Risk Higher EVERYONE On the Internet EVERYONE lives next door! Low-cost high-speed portable data storage Corsair Flash Voyager 1GB USB 2.0 Flash Drive Final Price: $9.99 Enough to store all University SSNs!!!
6/2/2015DCS & DMP 7 Not Just IT Anymore Athletics Downloa d Dept level Portable data IPR Text A/V Web Finance HR If it ever was ! Electronic & Physical
6/2/2015DCS & DMP 8 Two Draft Regulations - DCS & DMP Joint effort – RMIS & ITD Data Classification Standard (new) –Sensitivity of data –Security and privacy –Consistency Data Management Procedures (revised) –Responsibility and accountability –Authorization for access –Custody of information copies
6/2/2015DCS & DMP 9 Data Classification Standard - DCS University data –Identification –Confidentiality and sensitivity –Classification –Protection –Consistency
6/2/2015DCS & DMP 10 High Impact to business Significant financial loss Violates laws, agreements, or regulations. Moderate NOT Red but Adversely affects the University Normal NOT Yellow but Authorization required to modify or copy Based on Security from Data Classification Standard E.g., a laptop with access to social security numbers operates in the Red zone E.g., a server with only published materials may require merely Green zone protection Three Virtual Protection Zones Security follows data
6/2/2015DCS & DMP 11 Current DMP – Data Management Procedures University Regulation Original approved January 1990 Served the University very well Is detailed and specific to: –Centrally managed data –Enterprise information systems New draft simplifies and extends to rest of University
6/2/2015DCS & DMP 12 The New Draft DMP Current DMP outline intact About 25% of original text Shortened text length from 8 pages to 4.5 pages Deleted specific references to RMIS internal procedures Updated the list of Data Trustees, Stewards, and Custodians Made a separately maintained table for: –Data Categories –Data Trustees –Data Stewards –Data Custodians Generalized and simplified the DMP Foundation and framework: –Management of any and all University data –Electronic and physical copies RMIS, Colleges, and Departments will: –Develop their own more detailed procedures –Establish relevancy to their own very specific data protection needs.
6/2/2015DCS & DMP 13 Logical Organization from DMP
6/2/2015DCS & DMP 14 Data Steward Classifies Data Establishes guidelines for his or her data Sets appropriate privacy / security level Avoids compliance findings Delegates authority, responsibility, and accountability DMP and DCS work hand in hand
6/2/2015DCS & DMP 15 User Responsibilities Store data under secure conditions Make every reasonable effort to ensure the appropriate level of data privacy is maintained Use the data only for the purpose for which access was granted Not share IDs or passwords with other persons Securely dispose of sensitive University data
6/2/2015DCS & DMP 16 Possible Next Steps Guidance and awareness (we will work to develop guides; for example, a checklist to help classify data) Possible specific standards for protecting data based on classification level Training program for new data stewards, data custodians, and security administrators Security awareness program for users Resources for Campus Groups –ITD security staff –RMIS Information Assurance & Security area
6/2/2015DCS & DMP 17 So how do these regulations really affect me?
6/2/2015DCS & DMP 18 Examples – General Most administrative “business” data was already covered by the previous DMP so Data Trustees, Data Stewards, and Data Custodians are already defined and have established processes for administrative data For other data on campus, similar processes may already be followed and you should make sure they are documented
6/2/2015DCS & DMP 19 Examples – Data Extracts For users/groups that have received permission to make local copies of data, the Data Trustee and Data Steward are defined by the original data - The copiers have simply made themselves the Data Custodians for their own local copy This was the case under the previous DMP and Information Security Acknowledgement form, it has hopefully been clarified in the new draft DMP
6/2/2015DCS & DMP 20 Examples – Data Extracts with Local Additions If you are taking a data extract and adding extra local information to the data set, then this additional data is a new Data Category and needs a trustee, steward, and custodian In developing any process for who can access and use the combined data extract and local additions, you need to work with the other Data Steward(s) since the data is not all yours
6/2/2015DCS & DMP 21 Examples – Building Plans Building plans and other area design plans are very valuable records, since they show how the building is put together There are several areas of data custody that need to be considered –Access limits because of sensitivity of the plans –Preservation of original plans –Defined source of the current master copy of a building plan –Procedures for allowing updates to master building plans
6/2/2015DCS & DMP 22 Examples – Fundraising During fundraising drives and other donation collection programs, a lot of potentially sensitive information may be collected about the individual donors –Name –Address –Bank or Credit Card numbers –Other financial information Access to this data and its safe storage and disposal are your biggest concerns
6/2/2015DCS & DMP 23 Examples – Research Data Research Data is somewhat messy In general, you will probably end up with these roles: Data Trustee – Dean Data Steward – PI Data Custodian – PI, local IT, grad student The two biggest issues to address are: –Who can access the data –Is the data stored safely
6/2/2015DCS & DMP 24 ‘Do Nothing’ Alternative For those found to have responsibility for the data: –Compliance failures –Data compromises –Theft of information –Lawsuits –Fines –Loss of reputation More stringent University-wide data control regulations that: –Can not take into account special characteristics of individual data items –Place unnecessary controls on all sensitive data in a more arbitrary way
6/2/2015DCS & DMP 25 Benefits Establishes consistency in handling sensitive data Clarifies authority, responsibility, and accountability for the security of data Delegates appropriately Simplifies audit and oversight Helps avoid embarrassing data leaks Guards against severe financial and legal penalties for compliance findings