Managing Sensitive Data at Michigan State University

Presentation on behalf of• Controller’s Office • Internal Audit• Libraries, Computing & Technology

2

Agenda• Definitions and principles regarding sensitive data

• An action plan for managing your confidential & sensitive data

• Current resources

3

Data Management Initiatives at MSU• Managing Sensitive Data initiative

– Complying with law, regulations, contracts, policies, guidelines and procedures in protecting data and its appropriate use

– Protecting individual privacy and reducing the potential for identity theft

– Education and awareness• Data Stewardship and Data Governance

– Privacy and Confidentiality Policy for Institutional Data

– Access principles, guidelines and procedures– Guidelines for managing research data

• Payment Card Industry Data Security Standards (PCI DSS) compliance initiative

• Social Security Number Privacy Policy• Statement of Acceptable Use

4

What Constitutes Institutional Data?Any data/information the MSU workforce

• Collects• Creates• Stores• Distributes• Uses

in the normal course of University business

5

Facets of Institutional DataFacet Questions to ask

What format is the data in?

Is it electronic, like in an email attachment? Paper-based? Spoken?

What is the data used for?

Keeping track of student grades? Employee wage changes?

How sensitive is the data?

Is it confidential, sensitive, or public?

6

Data Stewardship: Our Institutional & Individual Responsibilities

We have legal and ethical responsibilities to protect the privacy and confidentiality of institutional data.– Legal: Comply with federal & state law, government and other regulations, MSU contracts, policies, guidelines and procedures

– Ethical: Meet responsibilities to students, employees, alumni, and affiliates (clients, patients, patrons, partners, public, etc.)

7

CIA in Data Management• Confidentiality

– Only authorized people access the data

• Integrity– The data are trustworthy

• Availability– Use the data effectively and efficiently while safeguarding confidentiality

• Confidentiality vs Availability

8

Data Privacy and Security Guidelines• Data are made available on a need-to-know basis

• Institutional data are only to be used in the context of University business

• Members of the workforce must understand that:– They are in a position of trust– Each individual is responsible for appropriate use and release of data

9

Degrees of Data Sensitivity

• Confidential– Protected by law, regulation, contract, policy, guideline

• Sensitive– Not disclosed without good reason due to private nature, institutional risk

– Protected by procedures, practice and high ethical standards

• Public– Not protected and generally made publicly available

10

Degrees of Data Sensitivity (cont.)

• Public– Not protected, and generally made publicly available

– Examples include:•Directories (excluding restricted individuals and/or information)

•Library card catalogs•Course catalogs•Institutional policies

11

Degrees of Data Sensitivity (cont.)

• Sensitive– Not disclosed without good reason due to private nature, institutional risk, or to maintain a competitive advantage

– Protected by procedures and high ethical standards

– May be subject to disclosure by specific written request under the Freedom of Information Act

– Includes:• Employment Data

– Examples: salary data, restricted directory data, employee attributes (e.g., citizenship, gender, race/ethnicity, special needs, veteran code)

• Other data, such as certain maps and detailed institutional accounting and budget data

12

Degrees of Data Sensitivity (cont.)

• Confidential– Student Records

• Protected by Family Educational Rights and Privacy Act

• Protected by University policies and guidelines– Guidelines Governing Privacy and Release of Student Records

– MSU Privacy Guidelines

– Personally Identifiable Financial Data, such as with financial aid and student loans• Protected by Gramm-Leach-Bliley Act

– Data used in identity theft• Examples: name, address, date of birth, SSN, payment card numbers, bank and electronic funds transfer account numbers, and driver’s license #s

13

• Confidential (cont.)– Health Records

• Protected by Health Insurance Portability and Accountability Act

– Social Security Numbers• Protected by Michigan Social Security Number Act and University policy

– Payment Card Data• Protected by contract, PCI DSS (Payment Card Industry Data Security Standards)

– Research Data• Protected by federal regulations (45 CFR 46, 21 CFR 50, 21 CFR 56) and MSU’s Internal Review Boards (www.humanresearch.msu.edu)

Degrees of Data Sensitivity (cont.)

14

An Action Plan

Step 1: Survey Your Unit

Step 2: Assess Your Risk

Step 3: Mitigate Your Risk

15

Step 1: Survey Your Unit• What sensitive data are being stored and why?

• Do you import or export sensitive data?– To or from whom, why, and is it secure?

• Who has access to sensitive data in your unit?

• What are the physical security characteristics of your system(s)?– How are your systems physically secured?– How are your paper files physically secured?

• How do you manage and administer your information systems?

16

Step 2: Assess Your Risk• Assess each piece of data identified in Step 1– Which law, regulation, contract, policy, or guideline applies?

– What are the consequences if this piece of data is exposed?

– Currently, how much risk is there that this data will be exposed?

– Should mitigating this risk have a high, medium, or low priority?

17

Step 3: Mitigate Your Risk• Educate security administrators and users– Understand your unit’s “need-to-know” procedures

– Be aware of risks and good data habits

• Keep your inventory current– Archive un-used data – Delete un-needed data

• Protect the data– Physically & digitally secure the data– Store the data in as few places as possible

• Test security systems and processes

18

Systems Security: Ongoing Responsibility• New threats appear almost daily• Therefore we must be vigilant:

– Operating system exposures– Application software exposures– Network exposures

19

An Action Plan for IndividualsStep 1: Survey Your Data

– Survey your own electronic and paper files for sensitive data and identify problem areas

Step 2: Assess Your Risk– Assess the risk involved with storing the data, the business need and how it is stored

Step 3: Mitigate Your Risk– Find ways to manage the risk and take appropriate action

– Personal workstation security - Anti-virus, security patches, firewall, anti-spyware

20

A Metaphor: SSN Abatement• SSNs are similar to asbestos

– Following industry practice, they were used everywhere for years

– We now realize the dangers, so when we find them we follow a procedure:•Take prompt steps to abate high-risk and/or low-value uses

•Institute policies; i.e. new uses of SSN are forbidden without clear justification

•Assess dangers and risks•Determine best way to minimize risk and reduce danger

21

SSN abatement example• Incident: MSU’s library server suffered intrusion

• System housed SSNs• We do not believe intruders sought or copied SSNs, but we do not know

• Response:– Although system was rather secure, security tightened

– Firewall put in place– Summer 2005: internal processes changed so that the library server no longer houses SSNs

22

We all have roles to play in managing sensitive data

23

We all have roles to play in managing sensitive data

and we need to share our ideas and concerns with

each other.

24

Exposure or Intrusion – Which is which?• Exposure – sensitive data that may be accessed by unauthorized individuals

• Intrusion – unauthorized access to a computing resource (may or may not involve sensitive data)

25

Identifying and Reporting an Incident• If you aren’t sure if there is sensitive data being exposed, contact your IT staff immediately.

• If you do not have access to IT staff in your department, contact the ACNS Help Desk at (517) 432-6200.

• It is a good idea to contact LCT about a possible data exposure, ASAP.

26

When an Incident Occurs, What Happens?

• Unit, following internal procedures, notifies DPPS immediately (355-2221)– DPPS notifies LCT– DPPS wants to gather evidence that will lead to a prosecution while minimizing interruption to the business

• The unit, DPPS, and LCT assess the incident• Systems that may have been involved may be taken for months, for the criminal investigation – Repercussions of this action can be devastating if a unit system is taken offline

• Normally MSU will disclose an exposure to those who might be affected– And to the public

27

Implications of a Breach of Sensitive Data• Institutional and personal implications

• Services terminated • Fines • Bad press• Jail time

28

Incidents at MSU• Despite our best efforts…

– Student PINs exposed during data transfers between business units

– SSNs may have been exposed on a server at a business unit

– Student SSNs, names, addresses may have been exposed on a server at an academic unit

– Years of credit card transactions may have been exposed on a server at a business unit

– Confidential employee information may have been exposed on servers at a business unit

• We are all learning

29

We’re Not Alone in This• There are still some schools that use SSN as a student identifier

• Many universities are going through this same process of identifying, managing and securing sensitive data.– Nobody has declared victory. It will take years.

30

Current Resources• Look to http://lct.msu.edu/security for current resources, presentation files

• Managing Sensitive Data Team– Diana D’Angelo, University Data Resource Administrator, Assistant Director Client Advocacy Office, 353-4856

– Team Members• Academic Computing and Network Services• Administrative Information Services• Client Advocacy Office• Controller’s Office• Department of Police and Public Safety• Internal Audit

31

Current Resources (cont.)• Town Hall meetings

– First two in October 2005 – definitions, principles, action plan, resources

– Spring 2006 Town Halls will include reports from units who have implemented action plans

• LCTTP Technology Training– Class/workshop for end-users of data – see www.train.msu.edu for registration and additional information

– Infusion into relevant courses• Campus Applications, Course Management, Database Management, Internet Development, Microsoft Office and Student Information Systems

32

Current Resources (cont.)• Hardware repair and software reloads

– Computer Repair, 505 Computer Center

• Anti-virus and anti-spyware software– MSU Computer Store, 110 Computer Center

• Network security assistance– Network Security Team, 301 Computer Center, security@msu.edu

• PC/LAN Support– Implementation, security analysis, hardware and software trouble-shooting and repair

– Consultation on PC and LAN implementation free of charge

33

Current Resources (cont.)• Data retention and disposal

– University Archives provides advice on data retention and disposal

– MSU Surplus can discuss specific data disposal needs

• Reassigning or retiring a computer system?– If there is sensitive data on the hard drive, scrub it.

– Erasing or reformatting a disk does not remove the data from the disk.

– You must use special sanitizing software, or physically destroy the hard drive.

34

Current Resources (cont.)

• Identity Theft Partnerships in Prevention

Judith Collins, Directorhttp://www.cj.msu.edu/~outreach/identity/(517) 432-4236idtheft@msu.edu

• Collins, Judith M., Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees, John Wiley and Sons, Inc., 2005

• Further discussion and resources as we continue to address managing sensitive data

35

Our Work Is Just Beginning• Change is needed at the institutional, departmental, and individual levels– Business processes– IT systems and procedures

• Annual reassessments for payment cards

• New applications must comply with policies and regulations

36

Our challenge• When we find sensitive or confidential data in our daily work, question if the use is appropriate.

• The answer to many of our questions is not “Yes” or “No.” Rather, it is, “It depends.”– Do a risk assessment and make a reasonable decision or look for an innovative solution.

37

Questions?• What issues are at the top of your mind?

• What do you think we can do to provide better resources to address sensitive data issues?