EDUCAUSE Security Conference: Who Owns the Data, Anyway?
Created by Lida L. Larsen (EDUCAUSE) on April 17, 2007
Summary:
Who Owns the Data, Anyway? Defining Data Stewardship
Cathy Hubbs, Director, IT Security, George Mason University
Robert Nakles, Executive Director, ITU Security and Project Office, George Mason University
EDUCAUSE Security Professionals Conference
Wednesday, April 11, 2007
Denver, CO
Notes:
Cathy Hubbs and Bob Nackles began their talk with some background information about their environment at George Mason University.
Mainframes to Enterprise Resource Planning
In the mainframe era of what now seems the distant past, just a few chosen people were involved with data at any given college or university. It was easier to be guardians of the data and the access points were limited. While many had access to the data, few had the ability to write to it. Few policies were needed.
Now everyone is involved with data starting with ERPs. We use a single database to store data across the institution and the ownership and responsibilities have become entangled. Today many people create data and even more people have access to read it. Today more policies are needed, the review process is much more stringent, and the policies have a greater impact on process.
ERPs bring a new complexity to the question of data ownership. With the client/server relationship and distributed ownership, it is difficult to secure the end points.
Data Security
Hubb and Nakles ask “what does it take to move a university to become more secure?”
and their answer is that you must have a supportive administration!
They quoted Alan Merten, George Mason President, from the 2005
<a href="http://www.educause.edu/LibraryDetailPage/666?ID=CSD4121”>"Cyber Security on Campus" Executive Awareness Video </a>
“Education and Attention. If every time the President, Deans, and Vice Presidents are getting together and they see that cyber security is on the agenda, we move it from being an IT problem to being my [the University’s] problem. Then we are making progress.” [Alan Merton}
and Tom Hennessey, Chief of Staff to President Merten on the necessary collaboration between IT security and university leadership.
“Collaboration between the IT Security Office and the leadership of the University is critical.
We cannot accomplish our mission to protect the systems that the University relies on to support the faculty, staff, and students without an integrated approach to the security issues we face in this day and age and the ones we face in the future.” [Tom Hennessey]
The channels of collaboration used at George Mason are
- Privacy and Security Compliance Team (PSCT) (appointed by the university president)
- This group looks at compliance and business process issues and makes recommendations to the President. They also review departmental data policies and procedures.
- Security liaisons (appointed by the CIO)
o This group provides the distributed points of contact for recommendations coming form PSCT and disseminate information. They are also the point of contacts for security incidents real or suspected and report through the Computer Security Incident Response Team (CSIRT). In addition they advise on training gaps and review proposed security policies.
- Staff senate (elected body)
- This group fosters communication on data security issues to the greater community and acts as a liaison with the other groups.
Hubbs and Nakles stressed the need for data stakeholders to own their own information.
They believe a strong security program is built on conscientious users who fully participate in the process and that establishing ownership and defining the sensitivity of the data helps users understand their role and responsibilities. Two key questions they ask are:
- Do users fully understand which data are sensitive and which need special handling?
- Who determines if the data they access in their work needs protection?
Establishing the Data Transmission Policy
The CIO at George Mason introduced the data transmission policy idea which was conceived to spell out data responsibilities and the IT security office researched and compared data stewardship policies as they shaped the document. They also looked at NIST computer security publications. Afterwards, the PSCT refocused the original policy, enlarging its scope and bolstering its strength and thus the data stewardship policy was born.
Data Stewards
The new policy defines both the data stewards for George Mason.
- The Chief Data Stewards are the CFO & Provost as they have ultimate responsibility for data the two sectors of data at the university.
- Data Stewards are Deans, Vice-Presidents, Supervisors, Directors, Managers, or others specifically identified for a subset of the university data.
- Data Administrators are responsible for documenting and enabling user access to a specific domain of university data.
- Data Processors are those actually modifying the data.
- Data users are any employee, contractor, affiliate etc who has access to the data but do not modify it.
- Customers are any individuals from whom sensitive data is collected and stored in the system.
Data Classification
There are three levels of data classification noted in the policy.
- Public use data that is available to anyone.
- Internal use data which treads a fuzzy mid-ground set but is not generally available outside the institution. An example of “fuzzy” is a student’s grades which may be “privacy flagged”
- Highly sensitive data includes financial records, credit card information, SSNs, and data falling under federal regulations.
Hubbs and Nakles polled the session attendees and somewhere between 30-40% said their institutions have a data stewardship policy.
Data Responsibilities
Both organizations and individuals responsible for access to and storage of highly sensitive data require a formal written request to the appropriate data administrator for access and each unit must have documented procedures that preserve and protect sensitive data.
Communication and Awareness Training
Five key communication channels exist in order to get the word out to the 7K employees at George Mason about their own responsibilities in data stewardship and security.
- PSCT and the Security Liaisons have combined meetings (invited legal, financial, etc) Note that data stewardship and security is not considered an IT problem at George Mason, it’s a university problem.
- Desktop Computer Security website has been established with prescriptive steps to keep desktops “locked down.” It was noted that for highly sensitive data the resident Security Liaison provided consultation.
· Staff Senate formed the Security Privacy and Compliance Work Group (SPCWG) that was comprised of real workers that translated to a real voice in the university. Staff will be the main implementers of the policy.
· The IT Security Office provides consultations and presentations (awareness training)
· A memo was sent to all university staff and faculty from the Chief Data Stewards on first anniversary of the policy implementation. It basically confirms that no one should handle any sensitive data unless they have been properly trained and authorized.
In addition, the CIO sent note saying “we know of only ten people who should be working with (highly sensitive data) and if you are not one of those ten then you must not be handling it.”
Hubbs and Nakles showed a video clip of Tom Hennessey supporting the policy.
Closing comments
The reason we should care about these issues:
- All universities handle sensitive data
- We all establish policies and use them to support the institutional mission
- We need the support and participation from the administration as well as the staff to make sure the policies work.
Therefore we, as the greater IT community should:
- Share the process of getting data policy on the table
- Gain administrative support and participation
- Be sure the policy is at the university-wide level
- Keep in mind this is only one piece of a security program
Q&A
- There is sometimes a need to differentiate between the “data of record” when there may be other sets of information which are virtually the same but have appropriate other uses.
- The focus is primarily on data in ERP systems.
- There is a focus on both data integrity and data security.
- There are related data retention policy & process issues.
- Both electronic and paper are of a concern.
The presentation slides for “Who Owns the Data Anyway?” are available via the conference website at http://www.educause.edu/SEC07/Program/11616?Product_Code=SEC07/SESS14.
Bookmark/Search this page with:
