2/14
Strategies for Strengthening Data Privacy:
Preparing For a Data Privacy Audit
________________________________________________________________
Prepared for the February 29th 2008 University System of Maryland
“Workshop on Data Privacy for Maryland Higher Education”
By Lennox Brown - Asst. Director Information Systems Audits
University System of Maryland – Internal Audit Office
Foreword & Acknowledgements
This paper presents baseline guidance to an organization preparing for a privacy audit.
The author acknowledges that this is a compilation of perspectives from different authors and organizations in the field, though not always specifically identified. Reference to authors’/organizations’ literature, including authors from whom the material was taken, is provided in the privacy resource list at the end of this paper.
Definition of Data Privacy:
(Excerpt from article in Educause Review [6])
“The terms “privacy” and “security” are often used interchangeably in discussions of data protection, and some say that you can’t have the former without the latter. However, there is a distinction between the two frequently complementary, interdependent principles. For organizations like colleges and universities, information privacy involves the policies, procedures, and other controls that determine which personal information is collected, how it is used, with whom it is shared, and how individuals who are the subject of that information are informed and involved in this process.
Information security, on the other hand, includes the process of protecting data from accidental or intentional misuse or modification by people inside or outside the organization. Although information security is by no means strictly a technical problem, its technical aspects (e.g., firewalls, encryption) are important. Accordingly, an organization’s security officer is charged with establishing standards to ensure the integrity, privacy and security of sensitive data, at rest and in transit.”
What Is A Privacy Audit?
(Excerpt from article in EDPACS [11])
“A privacy audit examines the information life-cycle processes organization-wide. The audit must concern itself with the total information flow: who sees it, handles it, modifies it, or otherwise manipulates the information organization-wide. Performing a privacy audit also requires knowledge of the privacy laws in force for all the geographic areas your institution is in, and knowledge of what information should be private within an enterprise.”
Why A Privacy Audit?
The following statistics were taken from the report “Educational Security Incidents (ESI) Year In Review – 2007” which was compiled by the Educational Security Incidents (ESI). The Web site dedicated to the tracking of information security incidents that occur at colleges and universities around the world, as reported in the news. Starting as an attempt to gather example of information security breaches at educational institutions, ESI has become a niche Web site tracking and categorizing information security incidents that occur at colleges and universities.
Located at http://www.adamdodge.com/esi, the goal of ESI is to help educational institutions understand the many threats that exist to educational information and information systems.
Figure 1: 2007 Incident Breakdown By Type
Figure 2: Number of 2007 Incidents By Information Exposed
Figure 3: Comparison of 2006 & 2007 Breaches By Type of incident
Figure 4: Comparison of 2006 & 2007 Incidents By Information Exposed
What Are The Benefits of a Privacy Audit?
(Excerpt from article in EDPACS)
A privacy audit can add value to an organization. Privacy Audits will:
1. Identify weaknesses in security and appropriate corrective actions needed to protect sensitive student and employee data
2. Identify gaps that need to be address by institutions to comply with applicable privacy laws and regulations
3. Sustain relationships with donors by ensuring the privacy of their activities
4. Enhance credibility and promote confidence and goodwill towards Institutions recognized for safeguarding data. (That is, reduce reputational risk.)
5. Reduce the risk of identity theft.
Probable Locations Where Privacy Breaches can occur in the Higher Ed Environment:
The most likely breach of privacy and associated risk of identity theft from within Institutions can come from those groups in the Institutions that deal directly with customers; for example, Student Registration, Office of the Bursar, Financial Aid, Health Services, Human Resource departments (employee data), and IT departments responsible for providing secure storage and transmission facilities. Breaches are also more likely when personnel in these areas store information unencrypted on laptops and portable storage devices. Systems used for inter-agency transactions (Central Payroll Processing), where remote information transmission is essential, are also areas that require attention.
Steps in Auditing Data Privacy
Auditing for privacy involves the following steps:
1. Know the Institution’s maximum legal ‘privacy protection’ requirements for different types of data.
2. Identify the Institution’s relevant privacy related policies and procedures.
3. Find out what information the Institution typically collects and generates.
4. Identify what information should be private and where and how it is stored.
5. Identify why the Institution classified the information as private. That is, determine if there is a data classification scheme in place. Simple data classification for business should have no more than four categories and, in some cases, two will suffice. The two would be “public” and “confidential” or “private.” When using three categories, “confidential” is limited to senior management or for items that are restricted to a certain department; “private” is data that can be shared within a company; and, “public” is for public dissemination.
6. Identify if the methods used to protect the information/data are adequate. That is, review existing security policies and procedures to determine effectiveness in protecting private data.
7. Report on what must be done to meet the maximum legal requirements identified.
Guidance on Preparing for a Privacy Audit:
1. In response to the audit step - Know the maximum legal requirements for privacy protection the enterprise must meet wherever they do business.
Organization Preparatory Efforts:
The organization should familiarize itself with applicable privacy laws and regulations and examine regulations that are specific to their industry. Armed with this knowledge the organization can design and implement a compliance program that meets different regulatory requirements and point out common requirement areas to maximize and simplify compliance efforts.
A good starting point for identifying the laws that are applicable to colleges and universities is the EDUCAUSE/Internet2 Computer and Network Security Task Force Study of 2003 - IT Security for Higher Education: A Legal Perspective [3].
The organization should:
· At least annually review privacy and data protection controls in relation to applicable laws and regulations. Management revises, as indicated, privacy policies and procedures to meet the requirements of applicable laws and regulations
· Develop and document policies, schedules, roles, responsibilities, and procedures related to monitoring, evaluating, and assessing the impact of regulatory and environmental changes on operations, roles and responsibilities, technologies, and contracts with third parties
· Revise privacy policies and procedures to reflect changes in regulatory and business environments
2. In response to the audit step – “Locate any relevant policies and procedures the enterprise may have.”
Organization preparatory efforts:
The organization should develop, disseminate, and periodically review/update:
· A formal, documented privacy policy that addresses purpose, scope, roles, responsibilities, and compliance; and
· Formal, documented procedures to facilitate the implementation of the privacy policy and associated controls. The organization should include a requirement that personnel confirm their understanding of privacy policies and procedures before authorizing access to sensitive information.
Your privacy governance program should incorporate:
People - Establish a clear privacy leader who is accountable and has visible executive support. Create a governing or oversight board composed of members throughout your organization to ensure you are effectively incorporating privacy throughout all areas.
Policies - Implement and communicate a clear privacy policy, built around the sound privacy principles and your business environment, and ensure compliance.
Processes - Establish access, authorization, process, and technical controls to support privacy policies.
Awareness and training - Educate all personnel and business partners on privacy requirements.
In preparation for a privacy audit, ensure that your privacy governance framework:
· Establishes a clear privacy leader who is accountable and has visible executive support. Create a governing or oversight group composed of members throughout your organization to ensure you are effectively incorporating privacy throughout all areas.
· Implements and communicates a clear privacy policy., built around privacy principles and or best practices; and ensure compliance
· Educates all personnel and business partners on privacy requirements.
· Establishes access, authorization, process, and technical controls to support privacy policies.
· Continuously monitors compliance and new laws and regulations, and update programs as necessary.
· Defines and documents the PII your organization handles and your privacy incident response procedures.
· Reports the privacy environment regularly to board and oversight members.
3. In response to the audit step – “Find out what information the business typically collects and generates.”
Organization preparatory efforts:
Map your data flows by creating a “Data Map”. A “Data Map” details how and what type of information is being received, utilized, managed, and passed on by your organization. In conducting this assessment, you should answer the following questions.
· What information is moving intra-departmentally or intra-personally within your organization?
· What information is moving from your organization to third parties?
· What information is your organization receiving from third parties?
· What relevant information is moving across state/national boundaries?
The answers to these questions will determine your level of privacy-related exposure, and should inform your organizational privacy strategy.
4. In response to the audit step – “Identify what information should be private, why the information is considered private by the organization and where it is stored.”
Organization preparatory efforts:
The organization should develop a data classification standard for specifying the sensitivity of personal information. This includes identifying what information your institution has and what should be considered private. This includes anything like, financial statements (GLBA), student information (FERPA), medical records (HIPAA), student financial information (FERPA), human resources reports about employees, etc. Once understood, you should develop a simple data classification scheme.
Simple data classification for business should have no more than four categories and, in some cases, two will suffice. The two would be “public” and “confidential” or “private.” When using three categories, “confidential” is limited to senior management or for items that are restricted to a certain department, “private” is data that can be shared within a company, and “public” is for public dissemination. These labels may not fit the mind-set of the enterprise you’re involved with, so feel free to change them.
Example of a data classification scheme:
(Source: EDPACS - Nicholas Nanos article.)
Information can also be classified based on the privacy regulation that it was governed by. Examples of classification types include:
· Medical/Health Information (Governed by HIPAA)
· Financial information (Governed by GLBA)
· Student Information (Governed by FERPA)
(Note: An additional column “Privacy Regulation” could be added to the above table to indicate that the cited information is subject to privacy requirements of the respective privacy regulation.)
5. In response to the audit step – “Identify if the methods used to protect (secure) the information are adequate.”
Organization preparatory efforts:
How private information is protected is of concern for legal and practical reasons. Inaccurate data is worthless, corrupted information is useless, and stolen data is embarrassing and costly to the organization.
Protecting Data Involves:
1. Defining a security policy around identified data.
2. Implementing the relevant security solution appropriate to the sensitivity level of the data being protected, risk level and organization acceptable level of risk.
1. Defining security policy around identified data:
Once the data identification and classification process is complete you are now ready to develop a security policy around the appropriate data. While an organization can deploy security technologies and adhere to all well known procedures, there will always be some level of vulnerability to data. As a result, organizations considering a security solution must put a stake in the ground and determine an acceptable level of threat. In reality, determining the acceptable level of threat within an enterprise is a function of security policy, resources for implementation, and the inherent reality that there will be people and processes that ultimately must access sensitive data.
The organization should develop, document, periodically update, and implement security plans for organizational information systems. Plans describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
The organization should develop, disseminate, and periodically review/update:
· Formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, and compliance; and
· Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls.
The organization should develop and implement a security plan, for the information system, that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements. Designated officials within the organization review and approve the plan.
The organization should:
· Periodically assess security controls in information systems to determine effectiveness;
· Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems, and
· Monitor information system security controls on an ongoing basis to ensure continued effectiveness.
2. Implementing the relevant security solution appropriate to the sensitivity level of the data being protected, risk level and organization acceptable level of risk.
Threats to Data Privacy:
With the broadening number of internal breaches and the increasingly sophisticated attacks from outside the network, ensuring data privacy is vital. To achieve data privacy, it is important to first understand the points of vulnerability within a corporate network. These include:
Application Server Threats:
· Servers compromised by malicious network administrators
· Misconfigured servers can be compromised
· Compromised servers can be used to extract data from databases and other devices on the network
· Authentication credentials (certificates, usernames, and passwords) used to communicate with the devices on the network can be stolen and used from a remote location
· Malicious software can be installed onto the server
Database Server Threats:
· Servers compromised by malicious database administrators
· Authentication credentials are not properly managed (i.e. all applications use the same database username and password)
· Authorization policies within a database are not properly defined (i.e. database users often have access to sensitive information they do not require)