Privacy and Security in the VLDS. 2 Commonwealth Security Benefits (Intended) Confidence in the integrity of the data and the systems processes Assistance.

Slides:



Advertisements
Similar presentations
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Advertisements

Software Quality Assurance Plan
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Prentice Hall, Database Systems Week 1 Introduction By Zekrullah Popal.
Management Information Systems, Sixth Edition
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
2/16/2010 The Family Educational Records and Privacy Act.
FERPA 2008 New regulations enact updates from over a decade of interpretations.
11 3 / 12 CHAPTER Databases MIS105 Lec14 Irfan Ahmed Ilyas.
Information Systems Security Officer
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
“DOK 322 DBMS” Y.T. Database Design Hacettepe University Department of Information Management DOK 322: Database Management Systems.
Chapter 7 Database Auditing Models
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Chapter 1: The Database Environment
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
United Nations Economic Commission for Europe Statistical Division Applying the GSBPM to Business Register Management Steven Vale UNECE
Internal Auditing and Outsourcing
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
SEC835 Database and Web application security Information Security Architecture.
Chapter 11 Databases.
Chapter 11 Databases. 11 Chapter 11: Databases2 Chapter Contents  Section A: File and Database Concepts  Section B: Data Management Tools  Section.
2015 ANNUAL TRAINING By: Denise Goff
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Objectives Overview Define the term, database, and explain how a database interacts with data and information Define the term, data integrity, and describe.
AL-MAAREFA COLLEGE FOR SCIENCE AND TECHNOLOGY INFO 232: DATABASE SYSTEMS CHAPTER 1 DATABASE SYSTEMS (Cont’d) Instructor Ms. Arwa Binsaleh.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Security Architecture
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Family Educational Rights and Privacy Act (FERPA) UNION COLLEGE.
Student Data and Confidentiality Parents Rights Schools’ Responsibilities.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Lecture # 3 & 4 Chapter # 2 Database System Concepts and Architecture Muhammad Emran Database Systems 1.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
© 2010 Health Information Management: Concepts, Principles, and Practice Chapter 5: Data and Information Management.
Database Administration
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Chapter 8 Auditing in an E-commerce Environment
Virginia’s Longitudinal Data System A Federated Approach to Longitudinal Data April 4 th, 2011.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Building Preservation Environments with Data Grid Technology Reagan W. Moore Presenter: Praveen Namburi.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Denise Chrysler, JD Director, Mid-States Region
Virginia’s Longitudinal Data System
UNLV Data Governance Executive Sponsors Meeting
Database Design Hacettepe University
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Privacy and Security in the VLDS

2 Commonwealth Security Benefits (Intended) Confidence in the integrity of the data and the systems processes Assistance in compliance with laws and regulation involving confidentiality A secure environment in which to perform business activities of the Commonwealth Identification and protection of key business functions and services in the event of disaster Monitoring for intrusions and Network "attacks" on Commonwealth systems

3 SEC : The Commonwealth’s IS Security Standard Chapters Risk Management IT Contingency Planning Information Systems Security Logical Access Control Data Protection Facilities Security Personnel Security Threat Management IT Asset Management

4 Government Data Collection and Dissemination Practices Act (selected items) § Administration of systems including personal information; Internet privacy policy; exceptions. A. Any agency maintaining an information system that includes personal information shall: –1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency; –5. Make no dissemination to another system without (i) specifying requirements for security and usage including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. –6. Maintain a list of all persons or organizations having regular access to personal information in the information system; –7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained; –8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;

5 Government Data Collection and Dissemination Practices Act § Dissemination of reports –Any agency maintaining an information system that disseminates statistical reports or research findings based on personal information drawn from its system, or from other systems shall: 1. Make available to any data subject or group, without revealing trade secrets, methodology and materials necessary to validate statistical analysis, and 2. Make no materials available for independent analysis without guarantees that no personal information will be used in any way that might prejudice judgments about any data subject. § Rights of data subjects. –2. Give notice to a data subject of the possible dissemination of part or all of this information to another agency, nongovernmental organization or system not having regular access authority, and indicate the use for which it is intended, and the specific consequences for the individual, which are known to the agency, of providing or not providing the information.

6 Family Educational Rights and Privacy Act (2008 Amendments to Regulations) State Consolidated Education Data Systems –…the Department has been working closely with SEAs to establish or upgrade State data systems in order to manage information generated by assessments, and use the data to improve student academic achievement and close achievement gaps. Changes to § 99.35(b) make it possible for SEAs and other State educational authorities to implement K-16 accountability systems by redisclosing personally identifiable student information on behalf of LEAs and postsecondary institutions provided they have legal authority to audit or evaluate one another's education programs. –Additionally, under FERPA, State educational authorities, such as SEAs and higher education commissions, may disclose education records in personally identifiable form, without consent, to contractors, consultants, and other parties to whom they have outsourced organizational services or functions, including evaluation of Federal or State supported education programs under § 99.35, provided that the State educational authority has direct control over that outside party.

7 Relevant SCHEV Language § :1. Duties of Council generally :1 –9. Develop a uniform, comprehensive data information system designed to gather all information necessary to the performance of the Council's duties. The system shall include information on admissions, enrollments, self-identified students with documented disabilities, personnel, programs, financing, space inventory, facilities and such other areas as the Council deems appropriate. When consistent with the Government Data Collection and Dissemination Practices Act, the Virginia Unemployment Compensation Act, and applicable federal law, the Council, acting solely or in partnership with the Virginia Department of Education or the Virginia Employment Commission, may contract with private entities to create de-identified student records for the purpose of assessing the performance of institutions and specific programs relative to the workforce needs of the Commonwealth. For the purposes of this section, "de-identified student records" means records in which all personally identifiable information has been removed.

8 Component Overview Data

9 Data Request DataData DataData

10 Security Overview Aggregated Data (Suppressed) Aggregated Data (Non- Suppressed) Unit Record Level Data Account Management Portal Components Anonymous Named Schools Researchers Agency Employees System Admin DataData DataData

11 Security DataData DataData DataData DataData Authentication Authorization Database Table Column Database Table Column Role Based Permission Role Based Permission Viewing Editing Viewing Editing Suppressed Data Non-Suppressed Data Suppressed Data Non-Suppressed Data Viewing

12 Reporting: Record Level Linked Data DataData DataData Report Creation 1,2 (Ad Hoc interface) Lexicon Shell Database 1,2 Ad Hoc Metadata Report Creation 1,2 (Ad Hoc interface) Query Results 5,6 DOE SCHEV VEC Approval 1.1. Instantiates the information contained in the Lexicon Contains dummy data Instantiates the information contained in the Lexicon Contains dummy data. Source Data 1.Report link will display report with dummy data. 2.Report will have a button that will allow submission of report to workflow. 3.Distributed query engine generate queries to each of the source data systems and join the result sets. 4.Engine will interact with Lexicon. 5.Options for report display include a Logi Analysis Grid (depending on number of records returned.) or a link to download a file. 6.Access may be provided through Ad Hoc report portal. 1.Report link will display report with dummy data. 2.Report will have a button that will allow submission of report to workflow. 3.Distributed query engine generate queries to each of the source data systems and join the result sets. 4.Engine will interact with Lexicon. 5.Options for report display include a Logi Analysis Grid (depending on number of records returned.) or a link to download a file. 6.Access may be provided through Ad Hoc report portal. Results Shaker 3,4

Lexicon – Shaker Process DS 1 DS 2 DS 3 Lexicon Linking Control Data Access Control User Interface/ Portal/ LogiXML Sub-Query Optimization Hashed ID Matrix Authorized Query Query Results Common IDs [deterministic] or Common Elements with appropriate Transforms, Matching Algorithms and Thresholds [probabilistic] A linking engine process will update the Lexicon periodically to allow query building on known available matched data fields. No data is used in this process. Queries are built on the relationships between data fields in the Lexicon. Workflow Manager Sample Data Shell Database Query Building Process (Pre-Authorization) ?

14 Matched Hash ID Values The SLDS server will match records from different agencies using the Hash ID After records are matched, the SLDS server will delete the Hash ID values and replace them with randomly generated unique IDs. September 10, 2015 Possible Connection using Web Service – creates Web Services Data Source (Oracle) - enables application and data integration by turning external web service into an SQL data source, making external Web services appear as regular SQL tables. This table function represents the output of calling external web services and can be used in an SQL query. Possible Connection using Homogeneous link between Oracle DBs – establish synonyms for global names of remote objects in the distributed system so that the Shaker can access them with the same syntax as local objects Sub-query processing priority will be determined for each query to minimize unnecessary data transfer (e.g. not downloading unmatched records unless specifically requested) to optimize join performance – see Query Sub-Process Optimization Possible Connection using Heterogeneous link using available Transparent Gateway or Generic ODBC/OLE Merging UR Data on Hashed-IDs DataData DataData Add’l Data Sources

15 Data Architecture DS 1 Lexicon DS 1 SPs 3 Aggregate Linked Data 1.Contains DBs for Shaker, Ad Hoc metadata, logging, auditing, etc. 2.Database for Shaker process and that temporarily stores linked record level data. The temporary tables will be dropped after a set period of time. 3.For canned reports, Stored Procedures will be used for data querying and suppression. 1.Contains DBs for Shaker, Ad Hoc metadata, logging, auditing, etc. 2.Database for Shaker process and that temporarily stores linked record level data. The temporary tables will be dropped after a set period of time. 3.For canned reports, Stored Procedures will be used for data querying and suppression. Shaker/ Deidentified Record Level Data 2 VITA (CESC) Aggregate Linked Reports Record Level Query / Reports Lexicon UI / Admin ETL 1 Metadata and Security 1 Shell DB Workflow DataData DataData DS 3 DS 2 SLDS Portal

16 Security Authentication –COV AUTH Authorization –Role Based Anonymous User Named User –System Administrator –Agency Employee –Researcher –Permissions Workflow Reports (Suppressed and Non-Suppressed) Query Building Tool Lexicon Data elements User Account Management Data security enforced by/at …. –Portal –Lexicon Viewing Editing –Reports Suppressed Data Non-Suppressed Data –Workflow –Data Database Table Column DataData DataData

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.