Project Scope Document

Project Name: Identity Protection Initiative Project Impact: Major

Minor

Business Unit Project Director: Deb Barshafsky IT Project Director: Camille Morgan Project Start Date: 10/22/2004

Business Unit Project Lead: IT Project Lead: Kristi Lucas Project End Date:

Objective: The objective of the Identity Protection Initiative is to make recommendations to the President of the Medical College of Georgia regarding institutional use of personal information, security of university computer systems containing personal information, and possible use of an institutionally generated unique identifier for all MCG constituents. The Identity Protection Initiative will be staged in two phases - Phase 1: Identification and Phase 2: Solutions. Narrative: The MCG Identity Protection Initiative was launched as a result of security concerns about documents and
systems containing sensitive personal information. Initially conceptualized as a mechanism to reduce the gratuitous use of the social security number as a primary identifier, the charge of the initiative was expanded to address a more extensive cadre of personal information. The work of IPI is led by a Steering Team composed of senior institutional leaders and reports to the MCG President.

Project Dependencies: The second phase, which will involve implementation of recommendations, cannot be initiated until successful completion of the identification phase. With regard to student information, discontinuation of the social security number cannot be effected until a new student information system (Banner) is fully implemented. Success of the project is dependant on total and complete institutional compliance with new policies and procedures regarding the official use of personal information. Project Deliverables (Tangible and intangible products, processes, results and services):
Phase 1 1. Communication plan for initiative. 2. Identity protection literature review and bibliography. 3. Prioritized list (based on sensitivity) of data elements to be protected. 4. Information gathering tools to identify where data elements are stored and how they are used. 5. Inventory of documents, manual systems, and computerized systems that store/use protected data elements. 6. Risk assessment. 7. Prioritized list of recommendations. Phase 2 1. Deliverables for Phase 2 (Solutions) will be identified and articulated at the close of Phase 1.

Project Boundaries (Empowerment limits and project constraints):

1. The initiative will encompass institutional and departmental documents and systems that hold personal information about all MCG constituents to include databases, personal systems/applications, departmental systems/applications, enterprise systems/applications, forms, documents, and all other electronic or paper representations of the data elements under review. Analysis and recommendations will address documents and systems maintained by MCG's cooperative organizations, with the exception of patient information maintained by MCG Health, Inc.

2.

Last Updated:2/9/05

Page 1 of 2

Project Scope Document

3.

Budget Items:
1. 2. 3. Tasks with budgetary impact include production of materials to support communication of the initiative to campus community (flyers, No SSN buttons, etc.) and production of instruments for use in survey process.

Anticipated Resource Requirements: Personnel: Resource requirements to support IPI are largely in the form of personnel hours. In addition to the
Steering Team and project team, departmental representatives will actively be involved in the campus wide assessment of the pervasiveness of the use of personal information in institutional, departmental, and personal documents and systems.

Non-Personnel:
1. 2.

Last Updated:2/9/05

Page 2 of 2