datastewards
TRANSCRIPT
Welcome
Personally Identifiable Information (PII) Protection Training for Data Stewards
Data Steward Training
Goal The purpose for today’s training program is to
introduce you to a collection of policies designed to protect Personally Identifiable Information (PII) and to your role and responsibilities as a Data Steward.
Data Steward Training
Learning Objectives:
As a result of participating in today’s program you will: • Learn about Loyola’s Personally Identifiable
Information (PII) Protection program • Gain a better understanding of your role and
responsibilities as a Data Steward• Acquire a list of tools and resources that can support
you in your role as a Data Steward
Data Steward Training
Agenda
• The Challenge of Protecting PII
• Loyola’s Process for Protecting PII
• Your Role in Protecting Loyola’s PII
• Tools and Resources
Data Steward Training
Guidelines
• Program length: 60 minutes
• Ask questions – participate
Data Steward Training
Protecting Personally Identifiable Information
Data Steward Training
Loyola recently approved policies covering areas:
1. Data Classification2. Loyola Protected & Sensitive Data Identification3. Physical Security of Loyola Protected & Sensitive
Data4. Electronic Security of Loyola Protected & Sensitive
Data5. Disposal of Loyola Protected & Sensitive Data6. Loyola Encryption7. Compliance Review8. Data Breach Response
Data Steward Training
All data produced by employees of Loyola University Chicago during the course of University business will be classified as one of these three types of data:
› Loyola Protected Data› Loyola Sensitive Data› Loyola Public Data
(Definitions on next slide)
Data Steward Training
Definitions– Loyola Protected data (LPro data)
• Protected by Federal, state, or local laws• Includes SSNs, credit card numbers, bank account info, driver’s
license numbers, personal health info, FERPA info, etc
– Loyola Sensitive data (LSen data)• Not covered by laws, but information that Loyola would not
distribute to the public• Determined by the department that created the data
– Loyola Public data (LPub data)• Information that Loyola is comfortable distributing to the general
public.
Data Steward Training
Role & Responsibilities
for Data Stewards
Data Steward Training
• The primary responsibility of a data steward is to help their department identify locations of Personally Identifiable Information (PII)
• The data steward will also produce documentation used by ITS and your department indicating where PII is located in the department
Data Steward Training
Responsibilities• Identify computers that store or access Loyola
Protected or Loyola Sensitive data– Conduct systems scan every 6 months
– Use software scanning tool that flags possible LPro information
– Record information from the scanning software tool in a spreadsheet for ITS and your department
– Fill out the department’s Data Security Compliance Review form and submit to ITS
Data Steward Training
Responsibilities
• Act as a resource for your department by providing information about the policies and their impact
• Conduct presentations as needed to raise awareness Sample presentation:
http://www.luc.edu/its/pdfs/dspresentation.ppt
Data Steward Training
Changes in how your
department handles
Loyola data
Data Steward Training
Changes for Paper documents
• Limit access to department workspaces that store LPro or LSen data in paper form – your department should:– Create a list of individuals with access to restricted areas;
provide Campus Security with a copy of the list– Require a badge or key to access those areas– Allow no public access to those areas
• Acquire/use approved shredders to dispose of documents– Limit access to printers and faxes
• Properly store LPro or LSen documents; avoid leaving LPro or LSen information on desks and other work areas when no one is present
Data Steward Training
Changes for electronic documents
• Restrict access to computers and other electronic devices that store LPro or LSen data in electronic form
• LPro or LSen data cannot be stored on computers or electronic devices that are not encrypted
• ITS will provide instructions for installing the encryption software for those users that need it
Data Steward Training
Preferred storage for remote access
• LPro or LSen data preferred storage for remote access
1.Network drives (VPN + Remote Desktop)
2.Laptop w/ encryption software
3.PDA/Blackberry/Smartphone w/ encryption software
4.Portable drive w/ encryption software
5.CD/DVD/disk as an encrypted file
Data Steward Training
Disposal of LPro or LSen data
• Paper – Shred either through shredding service or approved personal shredder (Purchasing has list of approved shredders)
• Electronic – Contact ITS for proper disposal
• If taken outside of Loyola, either dispose of as above or bring paper / device back to Loyola for proper disposal
Data Steward Training
Encryption of data • Electronic data transfers must be secured• If you need to send sensitive data via email, please
contact ITS for information on sending encrypted emails
• LPro or LSen data on physical media (CD, portable drive, etc) must be encrypted
• ITS will assist in configuration and training for department-specific issues on an as-needed basis
Data Steward Training
• Report possible breaches / exposures– Call 86086 / 773-508-6086– Email [email protected]– Go to anonymous reporting page at
http://www.luc.edu/its/security/data_security_form_anonymous.shtml
University Deployment Plan
• Split into 4 phases– ITS pilot– Sullivan Center pilot– High-risk areas (HR, Finance, etc)– Rest of the university
• Main communication effort will occur before the 4th phase – university-wide deployment
Communication Strategy
• Town hall meetings
• Inside Loyola Weekly
• Separate email blast to all staff
• Communications specifically targeting faculty
How Do I …?
• Give a presentation to my department about this?
• Perform the scanning portion?
• Install the encryption software?
• Fill out the paperwork?
• Get other questions answered?
How Do I…?
Give a presentation to the rest of my department?
• Recommended so they will have a better understanding of how they can help protect PII and other sensitive data
• Complete presentation available at http://www.luc.edu/its/pdfs/dspresentation.ppt
• Please send any questions you cannot answer to ITS ([email protected] or x86086)
How Do I…?
Perform the scanning portion?
• Send an email to everyone in your department asking them to go to Loyola Software -> Useful Tools -> Spider Scanner– This will install and run the scanning software– The process can take an hour or two, but the user
can continue using their machine while it works– Program will automatically close when done
How Do I…?
Install the encryption software?1. Close all open programs
2. Go to Loyola Software -> Useful Tools -> SafeGuard Easy Install
3. Machine reboots several times
4. Login, wait for machine to reboot twice more
5. Close encryption image and login
6. Verify red icon on hard drive, logout or lock machine but LEAVE IT POWERED ON!
You can use your computer while it encrypts, but it will run more slowly until the process completes
How Do I…?
Fill out the paperwork?• Two different forms to complete
– While reviewing the spider log with the user, fill out the PII Tracking.xls spreadsheet
– Once all computers have been scanned and their logs reviewed, fill out the Data Security Compliance Review form available at http://luc.edu/its/pdfs/gov_PIIP/Personal%20Information%20Protection%20Compliance%20Review.pdf (the last page)
How Do I…?
Get other questions answered?
• Call / Email / Stop ByJoe Bazeley
773-508-6086 / 86086
Granada Center room 235
Data Steward Training
Tools and Resources
• ITS Contact– Joe Bazeley– [email protected]– 773-508-6086 / 86086
• Policies • Presentation – add links• Reporting breaches
– Anonymous reporting page at http://www.luc.edu/its/security/data_security_form_anonymous.shtml
– Email [email protected]
Summary
As a Data Steward you play an important role in ensuring that your department is in and
remains in compliance with Loyola’s policies for protecting PII and other sensitive
information
Summary
Responsibilities• Be a resource to your department by providing
information about these policies and their impact– Sample presentation available at
http://www.luc.edu/its/pdfs/dspresentation.ppt • Conduct scans of department media every 6 months
– Check output of LPro/LSen data detection tool on each individual’s computer
– Provide summary info on LPro/LSen data to ITS and your department
– Fill out department’s compliance form for ITS
Summary
• Badge/key access restrictions• Printers and faxes in secure areas• Use approved shredders• Secure desk when not around• Encryption of computers• Cannot store LPro or LSen data on unencrypted
computers• Store files on network drives for
remote access
Data Steward Training
Questions?
Data Steward Training
Thank youfor
Your participation
Full Disk Encryption Install Demo
Short version of install process:
1. Close open documents
2. Launch program
3. Wait several minutes, login
4. Wait several minutes, close picture then login again
5. Log out or lock computer, but leave it powered on