How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)

8/11/2019 How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)

http://slidepdf.com/reader/full/how-to-be-a-chief-privacy-officer-when-your-university-doesnt-have-one 1/21

Security Professionals onference

May 7th 2014

Geoffrey S. Nathan PhD

Wayne State University

Bruce L. White MBA CRM PMP

Old Dominion University

Textbook

Resources

Reality

Geoff Nathan, Faculty Liaison, C&IT, WayneState University◦ informally, Chief Privacy Officer

◦ has been campaigning on campus for increasedawareness of privacy and the need for policy forseveral years

Bruce White, University Records Manager/HIPAA

Privacy Official, Old Dominion University◦ responsible for implementing a campus-wide records

management program

More information collected

Regulatory environment expanding

Unauthorized Access

Breach notification and enforcement Personal mobile devices

Borderless technology

Cyber risk◦ Phishing◦ ‘Whoops, I must have dropped my thumb drive

◦ Apple Picking

Management

Notice

Choice and consent

Collection

Use, retention and disposal

Access

Security for privacy Training

Monitoring and enforcement

Federal:◦ Family Educational Rights and Privacy Act (FERPA)◦ Gramm-Leach-Bliley Act (GLB)◦ Health Information Portability and Accountability Act (HIPAA)

◦ Children's Online Privacy Protection Act (COPPA) ◦ Fair Credit Reporting Act (FCRA) ◦ Canadian-Personal Information Protection and Electronic

Documents Act (PIPEDA) State

◦ FOIA/Privacy◦ Recordkeeping requirements

‘Self’-Regulation◦ Payment Card Industry Data Security Standard (PCI-DSS)

Make new friends:◦ Office of General Counsel

◦ Internal Audit

◦ HR Director

◦ Comptroller

◦ Provost

◦ VP Administration

And keep the old◦ CIO

◦ CSO

Talk to your new friends (or at least the oldones)

Collect some scary stories◦ These days they are not hard to find:

Target

Heartbleed

The flood of phishing messages

Make a general plan, perhaps followingthese suggestions

Categories:

CollectionPersonal Information

Maintenance, Storage and Deletion

Protection

Applicable Laws

Enforcement

Applicable Laws

Official Unofficial Citations

20 USC §1232g

34 CFR Part 99

Virginia Freedom of

Information Act

COV §2.2-3705.4

Health Insurance

Portability &

Accountability Act (HIPAA)

45CFR Parts 160, 162, &

1) Scholastic records containing

information concerning identifiable

individuals

2) Confidential letters and statements of

recommendation placed in the recordsof educational agencies or institutions

respecting (i) admission to any

educational agency or institution, (ii) an

application for employment, or (iii)

1) Student

Health

Services

2) College of

Health

Sciences

3) Athletic

Department

4) Student

Counseling

1) Registrar

2) Provost

Highly

ConfidentialYes1) Medicat (SHS)

Governing

Jurisdiction

Family Educational Rights

& Privacy Act (FERPA)

Protected Information

Components/Elements

2) The name of the student's parent or

other family members;

3) The address of the student or

student's family;

4) A personal identifier, such as the

student's social security number, student

number, or biometric record;

1 Name

2) Postal address

3) All elements of dates except year

4) Telephone number

5) Fax number

6) Email address

7) URL address

8) IP address

9) Social security number

10) Account numbers

11) License numbers

12) Medical record number

13) Health plan beneficiary #

14 Device identifiers and their serial

Highly

Confidential

Retention

Student Record -

Permanent

6 Years after last

Action

Student Record -

Permanent

Encrypt

1) Banner

2) Blackboard

3) Banner

Document

Management

4) Shared Drives

Highly

Confidential

Data Owner(s)

1) Registrar

2) Provost

1) Banner2) Blackboard

3) Banner

Document

Management

Classification

Data/Document Repository(s)

1) Shared

Drives

Privacy office structure

Stakeholder involvement

Policy and notice Embed into: IT system design and architecture

IT Security

Training and awareness Respond

Governance

Models

Advantages Disadvantages

Centralized • Streamlines

Processes andProcedures

• Employees Not

Decision Makers

Local/Decentralized • Places Decisions atData Owner level

• Bottom to top flow

of information

• Potentially CreatesDuplication of Efforts

Hybrid • Offers Resources ofCentralized Program

• Decentralized DecisionMaking

• Less Big Picture Vision

Key StakeholdersHuman Resources Information Security

Finance and Accounting Internal AuditLegalProvost/FacultyRegistrar

Create Steering Committee Establishing program parameters

Mission and scope

Definitions

Responsibilities

Restricted information: Safeguards

Storage and use

Retention and disposal

Violation: Investigation

Response

Ad hoc Program informal and inconsistently applied

Repeatable

Policies and procedures exist May not cover all areas

Defined Policies and procedures fully documented and

implemented

Managed Reviews conducted

Optimized Regular reviews and stakeholder feedback

Decentralized – data controllers

Policies:HIPAA

Data Classification

Records Management

Student Record (FERPA)

Information Security

HIPAA Privacy Officer Assigned (Me)

Assessment in early stages SSN Protection Steering Committee

Because of funding constraints, full-time CPOunlikely

AICPA MM Level - Repeatable

Previous President, alarmed by FreehReport recommendation on data retentionpolicies (WSU didn’t have any)

Set up committee to develop a policy andframework (yours truly as chair)

Issues like COPPA and a Web privacy policybeing addressed on an ad hoc basis with

speaker as central core on eachUltimately will have a governance

structure, although a CPO still unlikely inthese budget days.

International Association of Privacy Professionals(https://www.privacyassociation.org)

Privacy Program Management , Russell R.Densmore

American Institute of CPA’s – (www.aicpa.org) CIO.gov – (https://cio.gov/about/groups/privacy-

cop/privacy/ Electronic Privacy Information Center (epic.org)

StaySafeOnline.org HealthIT.gov Sample Video Surveillance Policy

Questions?

How to Be a Chief Privacy Officer When Your University Doesn't Have One Yet (237149412)

Documents

Your language doesn't scale

MP140633 Julie McEwen Stuart Shapiro Julie Snyder Duane ... · Metrics Yet privacy risks remain and privacy breaches continue to rise. Why? Because these things alone do not proactively

Recommendation and ranking - Informatikai Intézetjelasity/ddm/graphalgs.pdf · – Yet the system still functions at tolerable performance ... privacy preserving, ... – Collusion

Avira Exchange Security - AreteK...as either safe or malware. Alternatively, Avira Protection Cloud doesn't know the fingerprint yet. So Protection Cloud uploads the file, analyzes

Don't doesn't ed

smArtguArd disposable privacy curtainsglobalmedics.co.nz/media/InControl_SmartGuard_Brochure.pdf · disinfected mattress and cleaned bedside table, yet conventional curtains are often

Accounts (AMIF) - ec.europa.eu · When creating a new Accounts declaration for a specific financial year, it doesn't yet exist. Workflow This section shows the lifecycle to create

Intended Beneficiary Doesn't Work

BUDDHA VERSUS PAUL: NEUROPLASTICITY AND THE … · 2018-04-27 · Mindfulness and neuroplasticity is the hottest discovery in neuroscience, yet Buddha doesn't have the corner on transformation

College Doesn't Just Happen

Society doesn't exist

Quantifying Location Privacy · 2011-04-10 · revise location privacy by giving a simple, yet comprehensive, model to formulate all types of location-information disclosure attacks

And One Doesn't Stir

Why Change Doesn't Work

ESL Doesn't Work

Advertising Doesn't Work

WHY DIETING DOESN'T WORK

Passive Voice French doesn't like it! English doesn't use it passively!

PHOTOREVIEW · Yumi with pink rose By Zorica Purlija ... And yet it doesn't matter ... that you can almost smell the tussock grass and feel the brisk breeze

Technology Transfer Doesn't Work