Managing Sensitive Data at Michigan State University

Presentation on behalf of • • • Controller’s Office Internal Audit Libraries, Computing & Technology

Agenda

• Definitions and principles regarding sensitive data • An action plan for managing your confidential & sensitive data • Current resources 2

Data Management Initiatives at MSU

• Managing Sensitive Data initiative – Complying with law, regulations, contracts, policies, guidelines and procedures in protecting data and its appropriate use – Protecting individual privacy and reducing the potential for identity theft – Education and awareness • Data Stewardship and Data Governance – Privacy and Confidentiality Policy for Institutional Data – Access principles, guidelines and procedures – Guidelines for managing research data • Payment Card Industry Data Security Standards (PCI DSS) compliance initiative • Social Security Number Privacy Policy • Statement of Acceptable Use 3

What Constitutes Institutional Data?

Any data/information the MSU workforce • Collects • Creates • Stores • Distributes • Uses in the normal course of University business 4

Facets of Institutional Data

Facet Questions to ask

What format is the data in? Is it electronic, like in an email attachment? Paper based? Spoken?

What is the data used for?

Keeping track of student grades? Employee wage changes?

How sensitive is the data?

Is it confidential, sensitive, or public?

5

Data Stewardship:

Our Institutional & Individual Responsibilities We have legal and ethical responsibilities to protect the privacy and confidentiality of institutional data.

– Legal: Comply with federal & state law, government and other regulations, MSU contracts, policies, guidelines and procedures – Ethical: Meet responsibilities to students, employees, alumni, and affiliates (clients, patients, patrons, partners, public, etc.) 6

CIA in Data Management

• Confidentiality – Only authorized people access the data • Integrity – The data are trustworthy • Availability – Use the data effectively and efficiently while safeguarding confidentiality • Confidentiality vs Availability 7

Data Privacy and Security Guidelines

• Data are made available on a need-to-know basis • Institutional data are only to be used in the context of University business • Members of the workforce must understand that: – They are in a position of trust – Each individual is responsible for appropriate use and release of data 8

Degrees of Data Sensitivity

• Confidential – Protected by law, regulation, contract, policy, guideline • Sensitive – Not disclosed without good reason due to private nature, institutional risk – Protected by procedures, practice and high ethical standards • Public – Not protected and generally made publicly available 9

Degrees of Data Sensitivity (cont.)

• Public – Not protected, and generally made publicly available – Examples include: • Directories (excluding restricted individuals and/or information) • Library card catalogs • Course catalogs • Institutional policies 10

Degrees of Data Sensitivity (cont.)

• Sensitive – Not disclosed without good reason due to private nature, institutional risk, or to maintain a competitive advantage – Protected by procedures and high ethical standards – May be subject to disclosure by specific written request under the Freedom of Information Act – Includes: • Employment Data – Examples: salary data, restricted directory data, employee attributes (e.g., citizenship, gender, race/ethnicity, special needs, veteran code) • Other data, such as certain maps and detailed institutional accounting and budget data 11

Degrees of Data Sensitivity (cont.)

• Confidential – Student Records • Protected by Family Educational Rights and Privacy Act • Protected by University policies and guidelines – Guidelines Governing Privacy and Release of Student Records – MSU Privacy Guidelines – Personally Identifiable Financial Data, such as with financial aid and student loans • Protected by Gramm-Leach-Bliley Act – Data used in identity theft • Examples: name, address, date of birth, SSN, payment card numbers, bank and electronic funds transfer account numbers, and driver’s license #s 12

Degrees of Data Sensitivity (cont.)

• Confidential (cont.) – Health Records • Protected by Health Insurance Portability and Accountability Act – Social Security Numbers • Protected by Michigan Social Security Number Act and University policy – Payment Card Data • Protected by contract, PCI DSS (Payment Card Industry Data Security Standards) – Research Data • Protected by federal regulations (45 CFR 46, 21 CFR 50, 21 CFR 56) and MSU’s Internal Review Boards ( www.humanresearch.msu.edu

) 13

An Action Plan

Step 1: Survey Your Unit Step 2: Assess Your Risk Step 3: Mitigate Your Risk 14

Step 1: Survey Your Unit

• What sensitive data are being stored and why?

• Do you import or export sensitive data?

– To or from whom, why, and is it secure?

• Who has access to sensitive data in your unit?

• What are the physical security characteristics of your system(s)?

– How are your systems physically secured?

– How are your paper files physically secured?

• How do you manage and administer your information systems?

15

Step 2: Assess Your Risk

• Assess each piece of data identified in Step 1 – Which law, regulation, contract, policy, or guideline applies?

– What are the consequences if this piece of data is exposed?

– Currently, how much risk is there that this data will be exposed?

– Should mitigating this risk have a high, medium, or low priority? 16

Step 3: Mitigate Your Risk

• Educate security administrators and users – Understand your unit’s “need-to-know” procedures – Be aware of risks and good data habits • Keep your inventory current – Archive un-used data – Delete un-needed data • Protect the data – Physically & digitally secure the data – Store the data in as few places as possible • Test security systems and processes 17

Systems Security: Ongoing Responsibility

• New threats appear almost daily • Therefore we must be vigilant: – Operating system exposures – Application software exposures – Network exposures 18

An Action Plan for Individuals

Step 1: Survey Your Data – Survey your own electronic and paper files for sensitive data and identify problem areas Step 2: Assess Your Risk – Assess the risk involved with storing the data, the business need and how it is stored Step 3: Mitigate Your Risk – Find ways to manage the risk and take appropriate action – Personal workstation security - Anti-virus, security patches, firewall, anti-spyware 19

A Metaphor: SSN Abatement

• SSNs are similar to asbestos – Following industry practice, they were used everywhere for years – We now realize the dangers, so when we find them we follow a procedure: • Take prompt steps to abate high-risk and/or low-value uses • Institute policies; i.e. new uses of SSN are forbidden without clear justification • Assess dangers and risks • Determine best way to minimize risk and reduce danger 20

SSN abatement example

• Incident: MSU’s library server suffered intrusion • System housed SSNs • We do not believe intruders sought or copied SSNs, but we do not know • Response: – Although system was rather secure, security tightened – Firewall put in place – Summer 2005: internal processes changed so that the library server no longer houses SSNs 21

We all have roles to play in managing sensitive data

22

We all have roles to play in managing sensitive data and we need to share our ideas and concerns with each other.

23

Exposure or Intrusion – Which is which?

• Exposure – sensitive data that may be accessed by unauthorized individuals • Intrusion – unauthorized access to a computing resource (may or may not involve sensitive data) 24

Identifying and Reporting an Incident

• If you aren’t sure if there is sensitive data being exposed, contact your IT staff immediately.

• If you do not have access to IT staff in your department, contact the ACNS Help Desk at (517) 432-6200.

• It is a good idea to contact LCT about a possible data exposure, ASAP.

25

When an Incident Occurs, What Happens?

• Unit, following internal procedures, notifies DPPS immediately (355-2221) – DPPS notifies LCT – DPPS wants to gather evidence that will lead to a prosecution while minimizing interruption to the business • The unit, DPPS, and LCT assess the incident • Systems that may have been involved may be taken for months, for the criminal investigation – Repercussions of this action can be devastating if a unit system is taken offline • Normally MSU will disclose an exposure to those who might be affected – And to the public 26

Implications of a Breach of Sensitive Data

• Institutional and personal implications • Services terminated • Fines • Bad press • Jail time 27

Incidents at MSU

• Despite our best efforts… – Student PINs exposed during data transfers between business units – SSNs may have been exposed on a server at a business unit – Student SSNs, names, addresses may have been exposed on a server at an academic unit – Years of credit card transactions may have been exposed on a server at a business unit – Confidential employee information may have been exposed on servers at a business unit • We are all learning 28

We’re Not Alone in This

• There are still some schools that use SSN as a student identifier • Many universities are going through this same process of identifying, managing and securing sensitive data.

– Nobody has declared victory. It will take years.

29

Current Resources

• Look to http://lct.msu.edu/security for current resources, presentation files • Managing Sensitive Data Team – Diana D’Angelo, University Data Resource Administrator, Assistant Director Client Advocacy Office, 353-4856 – Team Members • Academic Computing and Network Services • Administrative Information Services • Client Advocacy Office • Controller’s Office • Department of Police and Public Safety • Internal Audit 30

Current Resources (cont.)

• Town Hall meetings – First two in October 2005 – definitions, principles, action plan, resources – Spring 2006 Town Halls will include reports from units who have implemented action plans • LCTTP Technology Training – Class/workshop for end-users of data – see www.train.msu.edu

for registration and additional information – Infusion into relevant courses • Campus Applications, Course Management, Database Management, Internet Development, Microsoft Office and Student Information Systems 31

Current Resources (cont.)

• Hardware repair and software reloads – Computer Repair, 505 Computer Center • Anti-virus and anti-spyware software – MSU Computer Store, 110 Computer Center • Network security assistance – Network Security Team, 301 Computer Center, [email protected]

• PC/LAN Support – Implementation, security analysis, hardware and software trouble-shooting and repair – Consultation on PC and LAN implementation free of charge 32

Current Resources (cont.)

• Data retention and disposal – University Archives provides advice on data retention and disposal – MSU Surplus can discuss specific data disposal needs • Reassigning or retiring a computer system?

– If there is sensitive data on the hard drive, scrub it.

– Erasing or reformatting a disk does not remove the data from the disk.

– You must use special sanitizing software, or physically destroy the hard drive.

33

Current Resources (cont.)

• Identity Theft Partnerships in Prevention Judith Collins, Director http://www.cj.msu.edu/~outreach/identity/ (517) 432-4236 [email protected]

• Collins, Judith M., Preventing Identity Theft

in Your Business: How to Protect Your

Business, Customers, and Employees, John Wiley and Sons, Inc., 2005 • Further discussion and resources as we continue to address managing sensitive data 34

Our Work Is Just Beginning

• Change is needed at the institutional, departmental, and individual levels – Business processes – IT systems and procedures • Annual reassessments for payment cards • New applications must comply with policies and regulations 35

Our challenge

• When we find sensitive or confidential data in our daily work, question if the use is appropriate.

• The answer to many of our questions is not “Yes” or “No.” Rather, it is, “It depends.” – Do a risk assessment and make a reasonable decision or look for an innovative solution.

36

Questions?

• What issues are at the top of your mind?

• What do you think we can do to provide better resources to address sensitive data issues?

37