Developing an Enterprise-Wide Privacy and Data Security Training Program

Ross T. Janssen, J.D., CIPPPrivacy & Security OfficerUniversity of Minnesota

John T. Jensen, CHPS, CIPPAssistant Director

Privacy & Security OfficeUniversity of Minnesota

Outline

• Drivers

• Organizational Complexity

• Key Project Components

• Costs and Timelines

• Lessons Learned

• Questions

Drivers

• Incidents

• Notification law

• New IT security laws

• Leverage resources

• Lots of regulation

Complexity of Higher Education

– Multi-part missions– Culture of Openness– Decentralized Organization– Need for Privacy and Security– Diverse stakeholders– Regulations– Community Expectations

Developing a Balanced Approach: Key Assumptions

• University faculty, staff, and students create, use, access, store, and share private data.

• Must understand human dimensions as well as acknowledge the need to address not only what is required (law) but also what is expected (from the community).

Key Project Components

• Analysis & Planning

• Curriculum & Instructional Design

• Content Development

• Training Delivery & Tracking

• Awareness & Communications

• Evaluation & Measurements

• Reporting

Analysis & Planning

• Process

• Key Findings– Content– Technology and delivery– Patterns of use– challenges

• Recommendations

Analysis & Planning

• Mandatory or voluntary

• Role based?

• Scope

• measurements

• Opportunities

Purpose

• Educate users about institutional expectations.

• Educate users about good IT practices.

• Enhance productivity through standard practices.

Course Curriculum

Data Security in Your Job

Securing Your Computer Workstation

Using University Data

Self Assessment

Personnel Data Student Data

Health Data Financial Data

Faculty, Managers, & Supervisors

Content Development

• Principal v. topical

• Identify subject matter experts

• Policy translation

• Course objectives

• Identify resources

• Lots and lots and lots of time!

Training Delivery & Tracking• Privacy Coordinator/Liaison Structure

• Leveraging Existing Infrastructure– Human Resources System (PeopleSoft)– University portal (www.myu.umn.edu)– Database (Oracle)– eLearning System (WebCT – Blackboard)– Email

• Tracking & Delivery Enhancements– Tiered assignments for timed delivery– Reports

Communications & Awareness

• Challenges– Decentralized communication infrastructures– Multiple web identities– Communicating to Faculty– Communicating to research personnel

• “I work with rats, not data”

Communications & Awareness –A Multi-Tiered Approach

– Packaged Communications (Mailings, Posters, Logos, Banners, etc)

– Strategic Communications (Memorandums, electronic notices of course assignments, in-person meetings, Scripts for supervisors and coordinators)

Communications & Awareness - Packaged

Measurements : Evaluation & Reporting

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

1 2 3 4 5 6 7

Question

Pre

cen

tag

e Strongly Disagree

Disagree

Agree

Strongly Agree

1. I am confident that I can secure my work environment and the private data I may use in my job.2. I am confident that I can identify resources for securing my computer workstation.3. I am confident that I can create and use strong passwords.4. I am confident that I can recognize actions that increase security risk.5. I am confident that I can use best practices to reduce the risks associated with using and sharing

University private data.6. I am confident that I can identify security issues and take appropriate action to address them.7. I am confident that I can identify what University data are private and what University data are public.

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

1 2 3 4 5 6 7

Question

Pre

cen

tag

e

Strongly Disagree

Disagree

Agree

Strongly Agree

Assessing Confidence Levels: Before and After Training

Costs and TimelinesComponent Time Costs

Analysis & Planning(front-end analysis)

80 hours(.5 months)

$15,000 consultants only

Curriculum & Instructional DesignContent Development

1,500 hours(9+ months)

$110,000 consultants only

Training Delivery & TrackingReporting

1,700 hours(10+ months)

$170,000 business analyst and programmers

Awareness & Communications 500 hours(3+ months)

$35,000 designers, consultants, materials

Evaluation 80 hours (.5 months)

$7,000

Total 23 months* $337,000*

Contact Information

Privacy & Security OfficeUniversity of Minnesota privacy@umn.edu

Ross T. Janssen, JD, CIPP612.626.5844janss006@umn.edu

John T. Jensen, CHPS, CIPP612.626.3885jense100@umn.edu