Data
Security
and
Privacy:
How
Do
We
Cope?
Kathleen Jones, Iowa State University Nancy Krogh – University of Idaho
AACRAO 2008/Session 243 March 27, 2008
“You
have
no
privacy.
Get
over
it.”
Scott McNealy, Chairman and CEO Sun Microsystems
Privacy and Security
• Define privacy and security
• Discuss our current security environment
• Suggest a framework for addressing issues
• Discuss the role of the registrar in privacy and
security solutions
• This session will not address specific
Dimensions of Privacy
• Personal Privacy – the right or interest for
individuals to keep their personal information,
communications, and facts concerning them
out of the hands of unauthorized parties.
• Privacy Protection – the responsibility or
stewardship role of a 3rd party that holds
personal data concerning an individual that
has been entrusted to them.
Insights on the Legal Landscape for Data Privacy in Higher Education
Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator EDUCAUSE
“Students
Become
More
Insecure
as
Hackers
Go
to
Colleges.”
Privacy
Rights
Clearinghouse
Report
• In 2007 alone, nearly 70 colleges experienced
security meltdowns of some sort, according to
the Privacy Rights Clearinghouse, a nonprofit
consumer‐advocacy group. Campus
computers have been hacked, laptops and
flash drives have gone missing, and key
Security and Identity
Management
Identified as top concerns by CIO’s and technology leaders in
the eighth annual EDUCAUSE Current Issues Survey.
Top Concerns
• First time in the survey that security was split
from identity and access management.
1. Funding IT was identified as most important
issue followed by:
2. Security
3. Administrative/ERP systems
Security Issues Identified:
• Need for privacy and security policies that
encompass all the IT resources of the campus.
• Procedures that reflect the goals of the
policies
• An incident response plan
• Senior administrators who recognize their
Identity/Access
Management
Issues
Identified:
• Strategy for managing digital identities.
• How effectively are students, faculty, and staff
educated about their rights and
responsibilities to manage their identities?
• How are SSN’s and other identifying data
used?
• Has the institutional formally established
Higher Ed Fails Privacy Test
• From a survey administered by Bentley College and
Watchfire, an on‐line risk management company: – 100% of doctoral universities and liberal arts institutions
neglected privacy notices on at least one on‐line data
collection form.
– 100% had at least one non‐secure page for a data
collection form.
– Of the 51 school that had privacy notices, only 33% had
notices that described how users could access their own
information.
www.CNETnews.com
“Universities
Need
a
Privacy
Refresher
Course”
“Unfortunately, the results of this survey suggest
that online privacy still is not a true part of the
mission of the higher educational
institutions….”
www.CNETnews.com
Mistakes, Not Hackers, Are to Blame for Many
Data‐Security Glitches on Campuses, Report Says
In the News…
• Questions Over Veterans' Data Loss
– Officials' Response to News of Information Theft
Scrutinized
http://www.cbsnews.com/stories/2006/05/22/national/main1640255.shtml
• U.S. Military Secrets for Sale at Afghan Bazaar
Los Angeles Times, April 10, 2006
• College official's e‐mail is hijacked
Rutland Herald, March 30, 2006
• Passwords revealed by sweet deal
More News
• University of Idaho announces computer theft
Moscow Daily News, January 25, 2007
• Obama, Clinton, McCain Passport Files
Breached
– “imprudent curiosity “
Privacy and Security Strategies
Prevention Detection Response
• Encompass all users
• Extend across campus and to agencies outside of the institution
• Include all formats
• Recognize this takes place in a climate of rising expectations for privacy
Prevention – What are we to do?!?
Avoiding data loss – admissions/registrar strategies
• Pay attention – security breaches and trends
• Assess your institutional risk for similar occurrences
• Review and update IT policies
• Modify practices to minimize chance of inadvertent harm
• What’s your strategy?
– Narrowly define need to know?
– Narrowly define which data fields users can see?
– Audit who accesses student records?
– Extensive FERPA and data security training?
– A combination of the above?
• Stay vigilant
Some basic questions
Access to student records on your campus – Who can see which students?
Who can see what student data?
Who can see and screen scrape or download SSN’s
with names?
How do you know if the person logging into a secure
system is really that person?
Do users of your student data understand FERPA and
data security requirements?
Where is your student data stored and is it secure? When are these files deleted?
System access risks – access profiles
Institutional policy on granting access to student data
affects data loss potential
• “Need to know” definition – narrow or broad? – Instructors:
• Own classes only vs. all classes
• Directory and contact data only vs. full student record
– Advisers:
• Own advisees vs. all students
– Staff who work with specific populations
• Restricted to that population vs. all students
• If your “need to know” access is broad, do you ramp
Impact of access profiles
Breadth of access for student system users affects risk
• Which users of your secure systems present the least
risk –
– STUDENTS – they can only view their personal data
• Which users of your secure systems present the
greatest risk –
– REGISTRAR/ADMISSIONS staff – those who can see and
modify student and other data, possibly including access
controls
• Risk assessment and remediation should consider
Student Data – Design of “Views”
Not all users need access to the same data elements
• Instructors – what is necessary for students in a
course?
• Advisers – what is necessary for advisees?
• Registrar staff – what do they need to see or update?
• Query access – who can download SSNs?
One‐size‐fits‐all student data views vs. tailored views
Ideal – minimize access to data required for performance
of duties
Need to display “No info release” when appropriate Strongly recommended – eliminate access to SSNs or
SSN Protection Policy
SSN only one of many confidential data elements in
student records BUT ‐ SSN with name poses
the greatest potential for identity theft
Best practice – minimize use of and access to SSN
asap, including “old files” and query access!
Campus training should address the special risk
category of SSN
SSN protection can provide the greatest payback
related to impact of data loss and notification
Don’t forget the old stuff!
ISU – no SSNs on class list files since Fall 2001
(i.e. instructors have had no access to SSNs)
• SSN Breach.org ‐ FOR IMMEDIATE RELEASE:
February 4, 2008 ‐ “Iowa State University
Prof. Posts 26 Students' SSNs Online”
• This was a Spring 2001 class and the web page
has since been removed
• SSNs can come back to haunt you for long
Identity Management
• Identification: ensure electronic credentials for access
to a system are granted only to the right person – Initial creation of account – verify identity
• Authentication: check validity of credentials at the
time of access
– Each login to the secure service portal – user ID and secure
password
• Authorization: determine that the person so identified
has been granted the authority to perform the
requested actions
– Once in the portal, need to enforce “permissions” to view or
Identity Management Challenges
• Identification – how to ensure that the person for whom
the account is created IS that person
– If prior to being on campus, must be based on information
known about the person
– If after on campus, require photo ID
• Authentication – combination of UserID and password – Best practice: strong password using current standards
– Not recommended: PIN
– Try limit: require password reset after set number of invalid
tries, or incremental time delays for each invalid password
– Password expiration: FREQUENT! (every 60‐90 days, no
Data use – confidentiality training
• Ideal – one on one training sessions on FERPA and
data security
• Second choice – required training module with
annual renewal
• Third choice – security reminders in the data
presentation
• Examples –
– Watermarks: Shred don’t toss, confidential, etc.
– Links: Link to student data confidentiality policy
Data storage considerations
• Data released through secure portal WILL BE
downloaded and stored on desktops, laptops,
networks, etc.
• Ideal – minimize potential risk in what is
released
• Reminders to faculty/instructors regarding
data security requirements
• You can’t control the data once released – but
Institutional/departmental policies
• Can’t control everything that happens on
campus, but you can attempt to control what
happens in your office!
• Develop an office policy to guide data storage
and use within your own office
• Recommend to others on campus as
appropriate!
• Iowa State University “Office of the Registrar
Data Security Best Practices” developed in
ISU
Office
of
the
Registrar
Policy
Social
Security
Number
and
University
ID
• University ID Number is the primary choice for
accessing systems and data (Social Security number
should only be used when UID is not available or
practical).
• Office clientele should not be asked to speak their ID
number. The customer can key their own ID on
provided data entry key pads at most customer
service areas.
• When working with customers on the phone, ask if
they are in a public place and warn them to take
precautions when supplying ID and other
ISU
Office
of
the
Registrar
Policy
Password
Security
• Create secure passwords that are as long as
possible and contain combinations of numbers
and alpha characters
• Do not write down passwords and keep them
where others can access that information
• Change your passwords often
ISU
Office
of
the
Registrar
Policy
Workstation
Security
• Do not store confidential information on personal hard drives or
easily portable storage devices
• Always log off your computer when you leave your work area
• Workstations should automatically switch to screen saver and
password protection after X minutes of non usage
• Care should be taken to shield computer screens from
public/customer view to protect confidential information
• Any paper material containing confidential information should
be shredded or put in confidential recycle and not be left out in
public view
• Take care when discussing any confidential information in a
ISU
Office
of
the
Registrar
Policy
E
‐
security
• When sending e‐mails including student
information, the following guidelines apply:
– Do not send both full name and university ID in the same
email.
– Sending only university ID is the best practice.
– Sending university ID plus first two letters of the last
name in the same email communication is acceptable,
when additional identifying information is needed.
• When possible, pick university e‐mail addresses
from the global directory rather than keying in the
@iastate E‐mail address directly. This practice
keeps the routing internal to campus computer
servers, which are more secure.
ISU
Office
of
the
Registrar
Policy
Sending
data
files
by
e
‐
A data file containing confidential information,
excluding social security number, may be sent
electronically IF password protected. The data
file and password must be sent in separate
emails. For information on how to password
protect a file, go to:
ISU
Office
of
the
Registrar
Policy
Disposal
of
Confidential
Information
• All hard drives and other computer storage
devices will be cleansed of data or destroyed
before disposal.
• Confidential reports or any paper containing
confidential information will be shredded or
put in locked confidential recycle after use.
• Old microfiche containing confidential
information will be shredded or destroyed
ISU
Office
of
the
Registrar
Policy
Other
data
protection
advisories
• Reports, microfiche and other printouts should no
longer contain Social Security Number. University ID
should be used and only when necessary.
• Electronic reports on AccessPlus that require
passwords and access set up are preferred over
microfiche and paper reports.
• Credit card numbers should never be stored on
computer files.
• Paper transcript orders containing credit card
information will be kept in a locked area and
What’s next?
What are your concerns in the area of data security?
Discussion
Resources
• www.educause.edu
– EDUCAUSE Home > EDUCAUSE Major Initiatives >
SECURITY TASK FORCE
– EDUCAUSE Home > Resources > Browse > Cybersecurity >
• Chronicle of Higher Education – Information technology
• Campus Technology