developing an enterprise-wide privacy and data security training program
DESCRIPTION
Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota John T. Jensen, CHPS, CIPP Assistant Director Privacy & Security Office University of Minnesota. Developing an Enterprise-Wide Privacy and Data Security Training Program. Outline. Drivers - PowerPoint PPT PresentationTRANSCRIPT
Developing an Enterprise-Wide Privacy and Data Security Training Program
Ross T. Janssen, J.D., CIPPPrivacy & Security OfficerUniversity of Minnesota
John T. Jensen, CHPS, CIPPAssistant Director
Privacy & Security OfficeUniversity of Minnesota
Outline
• Drivers
• Organizational Complexity
• Key Project Components
• Costs and Timelines
• Lessons Learned
• Questions
Drivers
• Incidents
• Notification law
• New IT security laws
• Leverage resources
• Lots of regulation
Complexity of Higher Education
– Multi-part missions– Culture of Openness– Decentralized Organization– Need for Privacy and Security– Diverse stakeholders– Regulations– Community Expectations
Developing a Balanced Approach: Key Assumptions
• University faculty, staff, and students create, use, access, store, and share private data.
• Must understand human dimensions as well as acknowledge the need to address not only what is required (law) but also what is expected (from the community).
Key Project Components
• Analysis & Planning
• Curriculum & Instructional Design
• Content Development
• Training Delivery & Tracking
• Awareness & Communications
• Evaluation & Measurements
• Reporting
Analysis & Planning
• Process
• Key Findings– Content– Technology and delivery– Patterns of use– challenges
• Recommendations
Analysis & Planning
• Mandatory or voluntary
• Role based?
• Scope
• measurements
• Opportunities
Purpose
• Educate users about institutional expectations.
• Educate users about good IT practices.
• Enhance productivity through standard practices.
Course Curriculum
Data Security in Your Job
Securing Your Computer Workstation
Using University Data
Self Assessment
Personnel Data Student Data
Health Data Financial Data
Faculty, Managers, & Supervisors
Content Development
• Principal v. topical
• Identify subject matter experts
• Policy translation
• Course objectives
• Identify resources
• Lots and lots and lots of time!
Training Delivery & Tracking• Privacy Coordinator/Liaison Structure
• Leveraging Existing Infrastructure– Human Resources System (PeopleSoft)– University portal (www.myu.umn.edu)– Database (Oracle)– eLearning System (WebCT – Blackboard)– Email
• Tracking & Delivery Enhancements– Tiered assignments for timed delivery– Reports
Communications & Awareness
• Challenges– Decentralized communication infrastructures– Multiple web identities– Communicating to Faculty– Communicating to research personnel
• “I work with rats, not data”
Communications & Awareness –A Multi-Tiered Approach
– Packaged Communications (Mailings, Posters, Logos, Banners, etc)
– Strategic Communications (Memorandums, electronic notices of course assignments, in-person meetings, Scripts for supervisors and coordinators)
Communications & Awareness - Packaged
Measurements : Evaluation & Reporting
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
1 2 3 4 5 6 7
Question
Pre
cen
tag
e Strongly Disagree
Disagree
Agree
Strongly Agree
1. I am confident that I can secure my work environment and the private data I may use in my job.2. I am confident that I can identify resources for securing my computer workstation.3. I am confident that I can create and use strong passwords.4. I am confident that I can recognize actions that increase security risk.5. I am confident that I can use best practices to reduce the risks associated with using and sharing
University private data.6. I am confident that I can identify security issues and take appropriate action to address them.7. I am confident that I can identify what University data are private and what University data are public.
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
1 2 3 4 5 6 7
Question
Pre
cen
tag
e
Strongly Disagree
Disagree
Agree
Strongly Agree
Assessing Confidence Levels: Before and After Training
Costs and TimelinesComponent Time Costs
Analysis & Planning(front-end analysis)
80 hours(.5 months)
$15,000 consultants only
Curriculum & Instructional DesignContent Development
1,500 hours(9+ months)
$110,000 consultants only
Training Delivery & TrackingReporting
1,700 hours(10+ months)
$170,000 business analyst and programmers
Awareness & Communications 500 hours(3+ months)
$35,000 designers, consultants, materials
Evaluation 80 hours (.5 months)
$7,000
Total 23 months* $337,000*
Contact Information
Privacy & Security OfficeUniversity of Minnesota [email protected]
Ross T. Janssen, JD, [email protected]
John T. Jensen, CHPS, [email protected]