Data Security and Privacy: How Do We Cope? Kathleen Jones, Iowa State University Nancy Krogh University of Idaho AACRAO 2008/Session 243 March 27, 2008
You have no privacy. Get over it. Scott McNealy, Chairman and CEO Sun Microsystems 1999
Privacy and Security Define privacy and security Discuss our current security environment Suggest a framework for addressing issues Discuss the role of the registrar in privacy and security solutions This session will not address specific technological solutions. It s about the people.
Dimensions of Privacy Personal Privacy the right or interest for individuals to keep their personal information, communications, and facts concerning them out of the hands of unauthorized parties. Privacy Protection the responsibility or stewardship role of a 3 rd party that holds personal data concerning an individual that has been entrusted to them. Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator EDUCAUSE
Students Become More Insecure as Hackers Go to Colleges. Los Angeles Times, June 5, 2006
Privacy Rights Clearinghouse Report In 2007 alone, nearly 70 colleges experienced security meltdowns of some sort, according to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy group. Campus computers have been hacked, laptops and flash drives have gone missing, and key records have been left unguarded online.
Security and Identity Management Identified as top concerns by CIO s and technology leaders in the eighth annual EDUCAUSE Current Issues Survey. EDUCAUSE Quarterly (Vol. 30, No. 2, 2007)
Top Concerns First time in the survey that security was split from identity and access management. 1. Funding IT was identified as most important issue followed by: 2. Security 3. Administrative/ERP systems 4. Identity and access management.
Security Issues Identified: Need for privacy and security policies that encompass all the IT resources of the campus. Procedures that reflect the goals of the policies An incident response plan Senior administrators who recognize their roles as information stewards.
Identity/Access Management Issues Identified: Strategy for managing digital identities. How effectively are students, faculty, and staff educated about their rights and responsibilities to manage their identities? How are SSN s and other identifying data used? Has the institutional formally established ownership of identity data in its systems?
Higher Ed Fails Privacy Test From a survey administered by Bentley College and Watchfire, an on line risk management company: 100% of doctoral universities and liberal arts institutions neglected privacy notices on at least one on line data collection form. 100% had at least one non secure page for a data collection form. Of the 51 school that had privacy notices, only 33% had notices that described how users could access their own information. www.cnetnews.com April 26, 2006
Universities Need a Privacy Refresher Course Unfortunately, the results of this survey suggest that online privacy still is not a true part of the mission of the higher educational institutions. www.cnetnews.com April 26, 2006
Mistakes, Not Hackers, Are to Blame for Many Data Security Glitches on Campuses, Report Says Educational Security Incidents Year In Review 2007
Number of Incidents By Information Exposed
In the News Questions Over Veterans' Data Loss Officials' Response to News of Information Theft Scrutinized http://www.cbsnews.com/stories/2006/05/22/national/main1640255.shtml U.S. Military Secrets for Sale at Afghan Bazaar Los Angeles Times, April 10, 2006 College official's e mail is hijacked Rutland Herald, March 30, 2006 Passwords revealed by sweet deal BBC News, April 20, 2004
More News University of Idaho announces computer theft Moscow Daily News, January 25, 2007 Obama, Clinton, McCain Passport Files Breached imprudent curiosity Bloomberg.com
Privacy and Security Strategies Prevention Detection Response Encompass all users Extend across campus and to agencies outside of the institution Include all formats Recognize this takes place in a climate of rising expectations for privacy and service and increasing regulation to ensure both.
Prevention What are we to do?!? Avoiding data loss admissions/registrar strategies Pay attention security breaches and trends Assess your institutional risk for similar occurrences Review and update IT policies Modify practices to minimize chance of inadvertent harm What s your strategy? Narrowly define need to know? Narrowly define which data fields users can see? Audit who accesses student records? Extensive FERPA and data security training? A combination of the above? Stay vigilant Remember security is never a finished product!!!
Some basic questions Access to student records on your campus Who can see which students? Who can see what student data? Who can see and screen scrape or download SSN s with names? How do you know if the person logging into a secure system is really that person? Do users of your student data understand FERPA and data security requirements? Where is your student data stored and is it secure? When are these files deleted?
System access risks access profiles Institutional policy on granting access to student data affects data loss potential Need to know definition narrow or broad? Instructors: Own classes only vs. all classes Directory and contact data only vs. full student record Advisers: Own advisees vs. all students Staff who work with specific populations Restricted to that population vs. all students If your need to know access is broad, do you ramp up your FERPA training accordingly?
Impact of access profiles Breadth of access for student system users affects risk Which users of your secure systems present the least risk STUDENTS they can only view their personal data Which users of your secure systems present the greatest risk REGISTRAR/ADMISSIONS staff those who can see and modify student and other data, possibly including access controls Risk assessment and remediation should consider breadth of access
Student Data Design of Views Not all users need access to the same data elements Instructors what is necessary for students in a course? Advisers what is necessary for advisees? Registrar staff what do they need to see or update? Query access who can download SSNs? One size fits all student data views vs. tailored views Ideal minimize access to data required for performance of duties Need to display No info release when appropriate Strongly recommended eliminate access to SSNs or credit card information with few exceptions
SSN Protection Policy SSN only one of many confidential data elements in student records BUT SSN with name poses the greatest potential for identity theft Best practice minimize use of and access to SSN asap, including old files and query access! Campus training should address the special risk category of SSN SSN protection can provide the greatest payback related to impact of data loss and notification costs if you don t have it, you can t lose it!!!
Don t forget the old stuff! ISU no SSNs on class list files since Fall 2001 (i.e. instructors have had no access to SSNs) SSN Breach.org FOR IMMEDIATE RELEASE: February 4, 2008 Iowa State University Prof. Posts 26 Students' SSNs Online This was a Spring 2001 class and the web page has since been removed SSNs can come back to haunt you for long after you think they re all gone!!!
Identity Management Identification: ensure electronic credentials for access to a system are granted only to the right person Initial creation of account verify identity Authentication: check validity of credentials at the time of access Each login to the secure service portal user ID and secure password Authorization: determine that the person so identified has been granted the authority to perform the requested actions Once in the portal, need to enforce permissions to view or update data
Identity Management Challenges Identification how to ensure that the person for whom the account is created IS that person If prior to being on campus, must be based on information known about the person If after on campus, require photo ID Authentication combination of UserID and password Best practice: strong password using current standards Not recommended: PIN Try limit: require password reset after set number of invalid tries, or incremental time delays for each invalid password Password expiration: FREQUENT! (every 60 90 days, no reuse)
Data use confidentiality training Ideal one on one training sessions on FERPA and data security Second choice required training module with annual renewal Third choice security reminders in the data presentation Examples Watermarks: Shred don t toss, confidential, etc. Links: Link to student data confidentiality policy Symbols: Padlock for students with no info release, etc.
Data storage considerations Data released through secure portal WILL BE downloaded and stored on desktops, laptops, networks, etc. Ideal minimize potential risk in what is released Reminders to faculty/instructors regarding data security requirements You can t control the data once released but control what you can!!!
Institutional/departmental policies Can t control everything that happens on campus, but you can attempt to control what happens in your office! Develop an office policy to guide data storage and use within your own office Recommend to others on campus as appropriate! Iowa State University Office of the Registrar Data Security Best Practices developed in preparation for internal audit on data security
ISU Office of the Registrar Policy Social Security Number and University ID University ID Number is the primary choice for accessing systems and data (Social Security number should only be used when UID is not available or practical). Office clientele should not be asked to speak their ID number. The customer can key their own ID on provided data entry key pads at most customer service areas. When working with customers on the phone, ask if they are in a public place and warn them to take precautions when supplying ID and other confidential information.
ISU Office of the Registrar Policy Password Security Create secure passwords that are as long as possible and contain combinations of numbers and alpha characters Do not write down passwords and keep them where others can access that information Change your passwords often Do not share passwords of logins with others
ISU Office of the Registrar Policy Workstation Security Do not store confidential information on personal hard drives or easily portable storage devices Always log off your computer when you leave your work area Workstations should automatically switch to screen saver and password protection after X minutes of non usage Care should be taken to shield computer screens from public/customer view to protect confidential information Any paper material containing confidential information should be shredded or put in confidential recycle and not be left out in public view Take care when discussing any confidential information in a public accessible area of the office
ISU Office of the Registrar Policy E mail security When sending e mails including student information, the following guidelines apply: Do not send both full name and university ID in the same email. Sending only university ID is the best practice. Sending university ID plus first two letters of the last name in the same email communication is acceptable, when additional identifying information is needed. When possible, pick university e mail addresses from the global directory rather than keying in the @iastate E mail address directly. This practice keeps the routing internal to campus computer servers, which are more secure. Recheck all e mail addresses before sending!
ISU Office of the Registrar Policy Sending data files by e mail A data file containing confidential information, excluding social security number, may be sent electronically IF password protected. The data file and password must be sent in separate emails. For information on how to password protect a file, go to: www.public.iastate.edu/~registrar/info/passwordprotect.html
ISU Office of the Registrar Policy Disposal of Confidential Information All hard drives and other computer storage devices will be cleansed of data or destroyed before disposal. Confidential reports or any paper containing confidential information will be shredded or put in locked confidential recycle after use. Old microfiche containing confidential information will be shredded or destroyed when no longer needed.
ISU Office of the Registrar Policy Other data protection advisories Reports, microfiche and other printouts should no longer contain Social Security Number. University ID should be used and only when necessary. Electronic reports on AccessPlus that require passwords and access set up are preferred over microfiche and paper reports. Credit card numbers should never be stored on computer files. Paper transcript orders containing credit card information will be kept in a locked area and shredded/destroyed when no longer needed.
What s next? What are your concerns in the area of data security? Discussion Thank You!
Resources www.educause.edu EDUCAUSE Home > EDUCAUSE Major Initiatives > SECURITY TASK FORCE EDUCAUSE Home > Resources > Browse > Cybersecurity > Chronicle of Higher Education Information technology Campus Technology AACRAO AACRAO Security Newsletter