Data Classification Standard & Data Management Procedures

By:
John L. Baines Jeff Webster Leo Howell
3/21/2012

Introduction
Information

is THE primary asset at the University Security & custody are now both strong issues Press & governance showing increased attention The University reputation is at stake
DCS & DMP

3/21/2012

Increasingly Complicated Compliance Constraints

Statute FERPA HIPAA GLBA PCI DSS SB 1048 Type of requirement Federal law Federal law Federal law University data Student records Health records Financial data Example location Faculty PC or server Athletics dept. Financial Aid Bookstore server R&R Payroll

Payment Card Industry - Credit card Data Security Std. data State Identity Theft law SSN , etc. Staff data

State Employee Personal Information Privacy law

Federal Grants
DCS & DMP

Contract requirements

Research materials
3

Lab PC

3/21/2012

Ohio University

Reported in an Athens News article 06-12-2006 Hackers gained access to personal data Including SSNs of 200,000 students and alumni Multiple incidents More than $77,000 spent sending letters Blow to alumni goodwill

A number of writers to the University have expressed

Anger Frustration Reluctance to donate any more money to OU Requested bill for time Questions about competence & integrity Threat of class-action lawsuits!

DCS & DMP

3/21/2012

Educational Institutes Seen as Easy Marks

Los Angeles Times article - May 30, 2006

Since January, 2006 at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide.

we were adding on another university every week to look into - Michael C. Zweiback, assistant U.S. attorney
5
3/21/2012

DCS & DMP

Technology Makes Risk Higher

On the Internet EVERYONE lives next door! Low-cost high-speed portable data storage
Corsair Flash Voyager 1GB USB 2.0 Flash Drive

Enough to store all University SSNs!!!

Final Price: $9.99
DCS & DMP

3/21/2012

Two Draft Regulations

For both electronic and other media Data Classification Standard (new)
Sensitivity of data Security and privacy Consistency

Data Management Procedures (revised)

Responsibility and accountability Authorization for access Custody of information copies
DCS & DMP

3/21/2012

Not Just IT Anymore

HR Finance Web IPR Portable data Athletics

Electronic & Physical

If it ever was!

Text A/V

Downloa d
8

Dept level

DCS & DMP

3/21/2012

Data Classification Standard DCS

University data
Identification Confidentiality and sensitivity Classification Protection Consistency

DCS & DMP

3/21/2012

Three Virtual Protection Zones

Based on Security from Data Classification Standard
High Impact to business Significant financial loss Violates laws, agreements, or regulations. Moderate NOT Red but Adversely affects the University

E.g., a laptop with access to social security numbers operates in the Red zone

Normal NOT Yellow but Authorization required to modify or copy

E.g., a server with only published materials may require merely Green zone protection

Security follows data

DCS & DMP

10

3/21/2012

Current DMP Data Management Procedures

University Regulation 8.00.3 Original approved January 1990 Served the University very well Is detailed and specific to:

Centrally managed data Enterprise information systems

DCS & DMP

11

3/21/2012

The New Draft DMP

Generalized and simplified the DMP Foundation and framework:

RMIS, Colleges, and Departments will:

Management of any and all University data Electronic and physical copies

Develop their own more detailed procedures Establish relevancy to their own very specific data protection needs.

Current DMP outline intact About 25% of original text Shortened text length from 8 pages to 4.5 pages Deleted specific references to RMIS internal procedures Updated the list of Data Trustees, Stewards, and Custodians Made a separately maintained table for: Data Categories Data Trustees Data Stewards Data Custodians

DCS & DMP

12

3/21/2012

Logical Organization from DMP

Role relationships
Data Trustee
Oversight responsibility

Data Steward
Access within his or her unit accuracy, privacy, and security

User
Responsibilites

Data Custodians
Physical data management Manage access rights

Security Admistrator
e.g. Application Security Unit Authorizes users based on Guidelines

DCS & DMP

13

3/21/2012

User Responsibilities

Store data under secure conditions Make every reasonable effort to ensure the appropriate level of data privacy is maintained Use the data only for the purpose for which access was granted Not share IDs or passwords with other persons Securely dispose of sensitive University data
14
3/21/2012

DCS & DMP

Data Steward Classifies Data

Establishes guidelines for his or her data Sets appropriate privacy / security level Avoids compliance findings Delegates authority, responsibility, and accountability DMP and DCS work hand in hand

DCS & DMP

15

3/21/2012

Possible Next Steps

Guidance and awareness (we will work to develop guides; for example, a checklist to help classify data) Possible specific standards for protecting data based on classification level Training program for new data stewards, data custodians, and security administrators Security awareness program for users Resources for Campus Groups
ITD security staff RMIS Information Assurance & Security area
16

DCS & DMP

3/21/2012

So how do these regulations really affect me?

DCS & DMP

17

3/21/2012

Examples General
Most administrative business data was already covered by the previous DMP so Data Trustees, Data Stewards, and Data Custodians are already defined and have established processes for administrative data For other data on campus, similar processes may already be followed and you should make sure they are documented

DCS & DMP

18

3/21/2012

Examples Data Extracts

For users/groups that have received permission to make local copies of data, the Data Trustee and Data Steward are defined by the original data - The copiers have simply made themselves the Data Custodians for their own local copy This was the case under the previous DMP and Information Security Acknowledgement form, it has hopefully been clarified in the new draft DMP
19
3/21/2012

DCS & DMP

Examples Data Extracts with Local Additions

If you are taking a data extract and adding extra local information to the data set, then this additional data is a new Data Category and needs a trustee, steward, and custodian In developing any process for who can access and use the combined data extract and local additions, you need to work with the other Data Steward(s) since the data is not all yours

DCS & DMP

20

3/21/2012

Examples Building Plans

Building plans and other area design plans are very valuable records, since they show how the building is put together There are several areas of data custody that need to be considered

Access limits because of sensitivity of the plans Preservation of original plans Defined source of the current master copy of a building plan Procedures for allowing updates to master building plans
21
3/21/2012

DCS & DMP

Examples Fundraising

During fundraising drives and other donation collection programs, a lot of potentially sensitive information may be collected about the individual donors
Name Address Bank or Credit Card numbers Other financial information

Access to this data and its safe storage and disposal are your biggest concerns
22
3/21/2012

DCS & DMP

Examples Research Data

Research Data is somewhat messy In general, you will probably end up with these roles:
Data Trustee Dean Data Steward PI Data Custodian PI, local IT, grad student

The two biggest issues to address are:

Who can access the data Is the data stored safely

DCS & DMP

23

3/21/2012

Do Nothing Alternative

For those found to have responsibility for the data:

Compliance failures Data compromises Theft of information Lawsuits Fines Loss of reputation

More stringent University-wide data control regulations that:

Can not take into account special characteristics of individual data items Place unnecessary controls on all sensitive data in a more arbitrary way
24
3/21/2012

DCS & DMP

Benefits
Establishes consistency in handling sensitive data Clarifies authority, responsibility, and accountability for the security of data Delegates appropriately Simplifies audit and oversight Helps avoid embarrassing data leaks Guards against severe financial and legal penalties for compliance findings

DCS & DMP

25

3/21/2012