Higher Education Privacy UpdateDavid Lindstrom, Chief Privacy OfficerThe Pennsylvania State University

Ross Janssen, Privacy and Security OfficerUniversity of Minnesota

Session OverviewHigher Ed CharacteristicsLegal, Regulatory, and Other Reasons to Protect DataTrendsThe Challenges Facing UsA Couple of ApproachesQuestions (and Answers?)

CharacteristicsMultiple MissionsDecentralizationLimited or Competing ResourcesCulture of IndependenceDiverse Technical CompetenciesLots of Data Big Pipes

How Much Data???Typical Day: more than 100,000 individual computers are connected > 1.5 million authentication actions by 120,880 unique Access account usersDoesnt include all the College and Department logins28 February: More than 54,000 systems (of the 100,000) communicated out to the InternetMore than 2,900,000 separate systems attempted to talk to Penn State from the Internet10% of the traffic coming from the Internet to Penn State that day was blocked by filtering at the border. (In other words, it was likely hostile activity subject to very simple blocks)

Some Characteristics Make Us More Vulnerable:Distributed GovernanceVarying User Needs/User PopulationsCultural Tradition of IndependenceEmphasis on Committees and Consensus Relatively slow-moving process facing a fast moving threat

Why Should Higher Ed Care?Data IntegrityIntellectual PropertyPeople Place Trust in UsImpacts ReputationHigh Cost for BreachesUS Data Protection Framework

We are Having BreachesTwo sources with slightly different numbers, but the news isnt good:Educational institutions accounted for over 50 of the more than 300 major data breaches in 2006, according to the Privacy Rights Clearinghouse, exposing Social Security numbers, bank account information and other sensitive personal dataAccording to the Treasury Institute for Higher Education of the 321 information security breaches nationwide reported in 2006, 84 or 26% were at education institutions. This 26% share for Education is particularly disproportionate when we consider that education represents only a small percent of total payment activity nationwide. As a result, financial institutions and card issuers increasingly view education institutions as risky merchants

US Data Protection FrameworkFederal and State Laws (to name a few:)FERPAHIPAAGLBAState Notification LawsRegulations and Standards:FDA data security compliancePCI-DSS

Trends Whats Increasing?Sophistication level of network attacks (Bots, bots and more bots)Complexity of detecting and removing residual malicious softwareNumber of vendor security updates Mobility Laptops and PDAs connecting to uncontrolled networks and returningAmount of Data We Can StoreAccountability

Consider This:

Trends: Whats DecreasingAmount of time for global spread (worms)Ability to prevent intrusions at the network borderAmount of time available to install vendor security updatesAmount of time to detect and defeat a network-based attackCustomers patience

Higher Ed ChallengesMaking improvements in a distributed environment. (Is the tail wagging the dog?)

Educating our workforce and students about data security and institutional expectations (We must raise the bar).

Challenges (cont.)Ability to respond to new laws.Balancing security with innovation and exploration.Compliance in an academic cultureResearch

Youre Going to Make Us Do What?Initial Reaction by the Governed:Like herding cats

Two ApproachesThe Penn State Information Privacy And Security Project (IPAS)

The University of Minnesotas Privacy and Security Project

Information Privacy and Security ProjectPrivacy and Security Assessment 2006No lack of existing institutional policies and lawsNo lack of requirements for departmentsNo lack of internal guidanceNo enforcementNo consequences for non-compliance outside of HIPAA components

www.ipas.psu.eduProposal for a two-year projectFunded and supported by the Provost and Senior Vice President for Finance and BusinessUniversity-wide project with 3 internal staff reassignedFirst priority, Payment Card Industry, Data Security Standards verificationSecond priority, distributed network compliance

U of M: Privacy & Security Project

Academic Chain of CommandPolicies and Procedures Funded ProgramConsolidated IT functionAuditing and MonitoringAppropriate Sanctions in placeEducation and Awareness

U of M:Privacy & Security Project (cont.)Education and Awareness is criticalEducate users about institutional expectations.Educate users about good IT practices.Enhance productivity through standard practices.

Future Directions/ExpectationsRemarkable recognition of the need for enhanced CENTRAL servicesIncreased accountabilityShift in the academic paradigm of open environment and limited central oversight (expect culture shock)Enhance similarity between administrative system controls and academic-centric data systemsIncreased Standardization

Questions?

- what we look like- info we use we deal with a lot of data- culture- technical competencies

Higher Ed Characteristics:Certain Characteristics of Colleges and Universities Make the Security Problem More DifficultDistributed GovernanceVarying User Needs/User PopulationsCultural Tradition of IndependenceEmphasis on committees and consensusComparatively slow-moving process facing a fast-moving threat

The legal and regulatory framework- are entrusted with data- expectations

Fed and state laws being passed in reaction to publicized data use problemsFederal Laws (examples):FERPA (education data)GLBA (banking data & credit decisions)HIPAA (identifiable health information)CAN-SPAM (email communications)State Privacy and Notification LawsRegulations and Standards:FDA data security compliancee-DiscoveryFed and state laws being passed in reaction to publicized data use problems

Definitely more coming.

Losses and TheftsFaculty and staff creativity and use of powerful computer resources with limited security knowledge.

Using tools with dangerous power.