Managing Sensitive Data at Michigan State University

1
Managing Sensitive Data at Michigan State
University

• Presentation on behalf of
• Controllers Office
• Internal Audit
• Libraries, Computing Technology

2
Agenda

• Definitions and principles regarding sensitive
  data
• An action plan for managing your confidential
  sensitive data
• Current resources

3
Data Management Initiatives at MSU

• Managing Sensitive Data initiative
• Complying with law, regulations, contracts,
  policies, guidelines and procedures in protecting
  data and its appropriate use
• Protecting individual privacy and reducing the
  potential for identity theft
• Education and awareness
• Data Stewardship and Data Governance
• Privacy and Confidentiality Policy for
  Institutional Data
• Access principles, guidelines and procedures
• Guidelines for managing research data
• Payment Card Industry Data Security Standards
  (PCI DSS) compliance initiative
• Social Security Number Privacy Policy
• Statement of Acceptable Use

4
What Constitutes Institutional Data?

• Any data/information the MSU workforce
• Collects
• Creates
• Stores
• Distributes
• Uses
• in the normal course of University business

5
Facets of Institutional Data
Facet Questions to ask
What format is the data in? Is it electronic, like in an email attachment? Paper-based? Spoken?
What is the data used for? Keeping track of student grades? Employee wage changes?
How sensitive is the data? Is it confidential, sensitive, or public?
6
Data Stewardship Our Institutional Individual
Responsibilities

• We have legal and ethical responsibilities to
  protect the privacy and confidentiality of
  institutional data.
• Legal Comply with federal state law,
  government and other regulations, MSU contracts,
  policies, guidelines and procedures
• Ethical Meet responsibilities to students,
  employees, alumni, and affiliates (clients,
  patients, patrons, partners, public, etc.)

7
CIA in Data Management

• Confidentiality
• Only authorized people access the data
• Integrity
• The data are trustworthy
• Availability
• Use the data effectively and efficiently while
  safeguarding confidentiality
• Confidentiality vs Availability

8
Data Privacy and Security Guidelines

• Data are made available on a need-to-know basis
• Institutional data are only to be used in the
  context of University business
• Members of the workforce must understand that
• They are in a position of trust
• Each individual is responsible for appropriate
  use and release of data

9
Degrees of Data Sensitivity

• Confidential
• Protected by law, regulation, contract, policy,
  guideline
• Sensitive
• Not disclosed without good reason due to private
  nature, institutional risk
• Protected by procedures, practice and high
  ethical standards
• Public
• Not protected and generally made publicly
  available

10
Degrees of Data Sensitivity (cont.)

• Public
• Not protected, and generally made publicly
  available
• Examples include
• Directories (excluding restricted individuals
  and/or information)
• Library card catalogs
• Course catalogs
• Institutional policies

11
Degrees of Data Sensitivity (cont.)

• Sensitive
• Not disclosed without good reason due to private
  nature, institutional risk, or to maintain a
  competitive advantage
• Protected by procedures and high ethical
  standards
• May be subject to disclosure by specific written
  request under the Freedom of Information Act
• Includes
• Employment Data
• Examples salary data, restricted directory data,
  employee attributes (e.g., citizenship, gender,
  race/ethnicity, special needs, veteran code)
• Other data, such as certain maps and detailed
  institutional accounting and budget data

12
Degrees of Data Sensitivity (cont.)

• Confidential
• Student Records
• Protected by Family Educational Rights and
  Privacy Act
• Protected by University policies and guidelines
• Guidelines Governing Privacy and Release of
  Student Records
• MSU Privacy Guidelines
• Personally Identifiable Financial Data, such as
  with financial aid and student loans
• Protected by Gramm-Leach-Bliley Act
• Data used in identity theft
• Examples name, address, date of birth, SSN,
  payment card numbers, bank and electronic funds
  transfer account numbers, and drivers license s

13
Degrees of Data Sensitivity (cont.)

• Confidential (cont.)
• Health Records
• Protected by Health Insurance Portability and
  Accountability Act
• Social Security Numbers
• Protected by Michigan Social Security Number Act
  and University policy
• Payment Card Data
• Protected by contract, PCI DSS (Payment Card
  Industry Data Security Standards)
• Research Data
• Protected by federal regulations (45 CFR 46, 21
  CFR 50, 21 CFR 56) and MSUs Internal Review
  Boards (www.humanresearch.msu.edu)

14
An Action Plan

• Step 1 Survey Your Unit
• Step 2 Assess Your Risk
• Step 3 Mitigate Your Risk

15
Step 1 Survey Your Unit

• What sensitive data are being stored and why?
• Do you import or export sensitive data?
• To or from whom, why, and is it secure?
• Who has access to sensitive data in your unit?
• What are the physical security characteristics of
  your system(s)?
• How are your systems physically secured?
• How are your paper files physically secured?
• How do you manage and administer your information
  systems?

16
Step 2 Assess Your Risk

• Assess each piece of data identified in Step 1
• Which law, regulation, contract, policy, or
  guideline applies?
• What are the consequences if this piece of data
  is exposed?
• Currently, how much risk is there that this data
  will be exposed?
• Should mitigating this risk have a high, medium,
  or low priority?

17
Step 3 Mitigate Your Risk

• Educate security administrators and users
• Understand your units need-to-know procedures
• Be aware of risks and good data habits
• Keep your inventory current
• Archive un-used data
• Delete un-needed data
• Protect the data
• Physically digitally secure the data
• Store the data in as few places as possible
• Test security systems and processes

18
Systems Security Ongoing Responsibility

• New threats appear almost daily
• Therefore we must be vigilant
• Operating system exposures
• Application software exposures
• Network exposures

19
An Action Plan for Individuals

• Step 1 Survey Your Data
• Survey your own electronic and paper files for
  sensitive data and identify problem areas
• Step 2 Assess Your Risk
• Assess the risk involved with storing the data,
  the business need and how it is stored
• Step 3 Mitigate Your Risk
• Find ways to manage the risk and take appropriate
  action
• Personal workstation security - Anti-virus,
  security patches, firewall, anti-spyware

20
A Metaphor SSN Abatement

• SSNs are similar to asbestos
• Following industry practice, they were used
  everywhere for years
• We now realize the dangers, so when we find them
  we follow a procedure
• Take prompt steps to abate high-risk and/or
  low-value uses
• Institute policies i.e. new uses of SSN are
  forbidden without clear justification
• Assess dangers and risks
• Determine best way to minimize risk and reduce
  danger

21
SSN abatement example

• Incident MSUs library server suffered intrusion
• System housed SSNs
• We do not believe intruders sought or copied
  SSNs, but we do not know
• Response
• Although system was rather secure, security
  tightened
• Firewall put in place
• Summer 2005 internal processes changed so that
  the library server no longer houses SSNs

22
We all have roles to play in managing sensitive
data
23
We all have roles to play in managing sensitive
data
and we need to share our ideas and concerns with
each other.
24
Exposure or Intrusion Which is which?

• Exposure sensitive data that may be accessed by
  unauthorized individuals
• Intrusion unauthorized access to a computing
  resource (may or may not involve sensitive data)

25
Identifying and Reporting an Incident

• If you arent sure if there is sensitive data
  being exposed, contact your IT staff immediately.
• If you do not have access to IT staff in your
  department, contact the ACNS Help Desk at (517)
  432-6200.
• It is a good idea to contact LCT about a possible
  data exposure, ASAP.

26
When an Incident Occurs, What Happens?

• Unit, following internal procedures, notifies
  DPPS immediately (355-2221)
• DPPS notifies LCT
• DPPS wants to gather evidence that will lead to a
  prosecution while minimizing interruption to the
  business
• The unit, DPPS, and LCT assess the incident
• Systems that may have been involved may be taken
  for months, for the criminal investigation
• Repercussions of this action can be devastating
  if a unit system is taken offline
• Normally MSU will disclose an exposure to those
  who might be affected
• And to the public

27
Implications of a Breach of Sensitive Data

• Institutional and personal implications
• Services terminated
• Fines
• Bad press
• Jail time

28
Incidents at MSU

• Despite our best efforts
• Student PINs exposed during data transfers
  between business units
• SSNs may have been exposed on a server at a
  business unit
• Student SSNs, names, addresses may have been
  exposed on a server at an academic unit
• Years of credit card transactions may have been
  exposed on a server at a business unit
• Confidential employee information may have been
  exposed on servers at a business unit
• We are all learning

29
Were Not Alone in This

• There are still some schools that use SSN as a
  student identifier
• Many universities are going through this same
  process of identifying, managing and securing
  sensitive data.
• Nobody has declared victory. It will take years.

30
Current Resources

• Look to http//lct.msu.edu/security for current
  resources, presentation files
• Managing Sensitive Data Team
• Diana DAngelo, University Data Resource
  Administrator, Assistant Director Client Advocacy
  Office, 353-4856
• Team Members
• Academic Computing and Network Services
• Administrative Information Services
• Client Advocacy Office
• Controllers Office
• Department of Police and Public Safety
• Internal Audit

31
Current Resources (cont.)

• Town Hall meetings
• First two in October 2005 definitions,
  principles, action plan, resources
• Spring 2006 Town Halls will include reports from
  units who have implemented action plans
• LCTTP Technology Training
• Class/workshop for end-users of data see
  www.train.msu.edu for registration and additional
  information
• Infusion into relevant courses
• Campus Applications, Course Management, Database
  Management, Internet Development, Microsoft
  Office and Student Information Systems

32
Current Resources (cont.)

• Hardware repair and software reloads
• Computer Repair, 505 Computer Center
• Anti-virus and anti-spyware software
• MSU Computer Store, 110 Computer Center
• Network security assistance
• Network Security Team, 301 Computer Center,
  security_at_msu.edu
• PC/LAN Support
• Implementation, security analysis, hardware and
  software trouble-shooting and repair
• Consultation on PC and LAN implementation free of
  charge

33
Current Resources (cont.)

• Data retention and disposal
• University Archives provides advice on data
  retention and disposal
• MSU Surplus can discuss specific data disposal
  needs
• Reassigning or retiring a computer system?
• If there is sensitive data on the hard drive,
  scrub it.
• Erasing or reformatting a disk does not remove
  the data from the disk.
• You must use special sanitizing software, or
  physically destroy the hard drive.

34
Current Resources (cont.)

• Identity Theft Partnerships in Prevention
• Judith Collins, Director
• http//www.cj.msu.edu/outreach/identity/
• (517) 432-4236
• idtheft_at_msu.edu
• Collins, Judith M., Preventing Identity Theft in
  Your Business How to Protect Your Business,
  Customers, and Employees, John Wiley and Sons,
  Inc., 2005
• Further discussion and resources as we continue
  to address managing sensitive data

35
Our Work Is Just Beginning

• Change is needed at the institutional,
  departmental, and individual levels
• Business processes
• IT systems and procedures
• Annual reassessments for payment cards
• New applications must comply with policies and
  regulations

36
Our challenge

• When we find sensitive or confidential data in
  our daily work, question if the use is
  appropriate.
• The answer to many of our questions is not Yes
  or No. Rather, it is, It depends.
• Do a risk assessment and make a reasonable
  decision or look for an innovative solution.

37
Questions?

• What issues are at the top of your mind?
• What do you think we can do to provide better
  resources to address sensitive data issues?