Welcome

Personally Identifiable Information (PII) Protection Training for Data Stewards

Data Steward Training

Goal The purpose for today’s training program is to

introduce you to a collection of policies designed to protect Personally Identifiable Information (PII) and to your role and responsibilities as a Data Steward.

Data Steward Training

Learning Objectives:

As a result of participating in today’s program you will: • Learn about Loyola’s Personally Identifiable

Information (PII) Protection program • Gain a better understanding of your role and

responsibilities as a Data Steward• Acquire a list of tools and resources that can support

you in your role as a Data Steward

Data Steward Training

Agenda

• The Challenge of Protecting PII

• Loyola’s Process for Protecting PII

• Your Role in Protecting Loyola’s PII

• Tools and Resources

Data Steward Training

Guidelines

• Program length: 60 minutes

• Ask questions – participate

Data Steward Training

Protecting Personally Identifiable Information

Data Steward Training

Loyola recently approved policies covering areas:

1. Data Classification2. Loyola Protected & Sensitive Data Identification3. Physical Security of Loyola Protected & Sensitive

Data4. Electronic Security of Loyola Protected & Sensitive

Data5. Disposal of Loyola Protected & Sensitive Data6. Loyola Encryption7. Compliance Review8. Data Breach Response

Data Steward Training

All data produced by employees of Loyola University Chicago during the course of University business will be classified as one of these three types of data:

› Loyola Protected Data› Loyola Sensitive Data› Loyola Public Data

(Definitions on next slide)

Data Steward Training

Definitions– Loyola Protected data (LPro data)

• Protected by Federal, state, or local laws• Includes SSNs, credit card numbers, bank account info, driver’s

license numbers, personal health info, FERPA info, etc

– Loyola Sensitive data (LSen data)• Not covered by laws, but information that Loyola would not

distribute to the public• Determined by the department that created the data

– Loyola Public data (LPub data)• Information that Loyola is comfortable distributing to the general

public.

Data Steward Training

Role & Responsibilities

for Data Stewards

Data Steward Training

• The primary responsibility of a data steward is to help their department identify locations of Personally Identifiable Information (PII)

• The data steward will also produce documentation used by ITS and your department indicating where PII is located in the department

Data Steward Training

Responsibilities• Identify computers that store or access Loyola

Protected or Loyola Sensitive data– Conduct systems scan every 6 months

– Use software scanning tool that flags possible LPro information

– Record information from the scanning software tool in a spreadsheet for ITS and your department

– Fill out the department’s Data Security Compliance Review form and submit to ITS

Data Steward Training

Responsibilities

• Act as a resource for your department by providing information about the policies and their impact

• Conduct presentations as needed to raise awareness Sample presentation:

http://www.luc.edu/its/pdfs/dspresentation.ppt

Data Steward Training

Changes in how your

department handles

Loyola data

Data Steward Training

Changes for Paper documents

• Limit access to department workspaces that store LPro or LSen data in paper form – your department should:– Create a list of individuals with access to restricted areas;

provide Campus Security with a copy of the list– Require a badge or key to access those areas– Allow no public access to those areas

• Acquire/use approved shredders to dispose of documents– Limit access to printers and faxes

• Properly store LPro or LSen documents; avoid leaving LPro or LSen information on desks and other work areas when no one is present

Data Steward Training

Changes for electronic documents

• Restrict access to computers and other electronic devices that store LPro or LSen data in electronic form

• LPro or LSen data cannot be stored on computers or electronic devices that are not encrypted

• ITS will provide instructions for installing the encryption software for those users that need it

Data Steward Training

Preferred storage for remote access

• LPro or LSen data preferred storage for remote access

1.Network drives (VPN + Remote Desktop)

2.Laptop w/ encryption software

3.PDA/Blackberry/Smartphone w/ encryption software

4.Portable drive w/ encryption software

5.CD/DVD/disk as an encrypted file

Data Steward Training

Disposal of LPro or LSen data

• Paper – Shred either through shredding service or approved personal shredder (Purchasing has list of approved shredders)

• Electronic – Contact ITS for proper disposal

• If taken outside of Loyola, either dispose of as above or bring paper / device back to Loyola for proper disposal

Data Steward Training

Encryption of data • Electronic data transfers must be secured• If you need to send sensitive data via email, please

contact ITS for information on sending encrypted emails

• LPro or LSen data on physical media (CD, portable drive, etc) must be encrypted

• ITS will assist in configuration and training for department-specific issues on an as-needed basis

Data Steward Training

• Report possible breaches / exposures– Call 86086 / 773-508-6086– Email datasecurity@luc.edu– Go to anonymous reporting page at

http://www.luc.edu/its/security/data_security_form_anonymous.shtml

University Deployment Plan

• Split into 4 phases– ITS pilot– Sullivan Center pilot– High-risk areas (HR, Finance, etc)– Rest of the university

• Main communication effort will occur before the 4th phase – university-wide deployment

Communication Strategy

• Town hall meetings

• Inside Loyola Weekly

• Separate email blast to all staff

• Communications specifically targeting faculty

How Do I …?

• Give a presentation to my department about this?

• Perform the scanning portion?

• Install the encryption software?

• Fill out the paperwork?

• Get other questions answered?

How Do I…?

Give a presentation to the rest of my department?

• Recommended so they will have a better understanding of how they can help protect PII and other sensitive data

• Complete presentation available at http://www.luc.edu/its/pdfs/dspresentation.ppt

• Please send any questions you cannot answer to ITS (DataSecurity@luc.edu or x86086)

How Do I…?

Perform the scanning portion?

• Send an email to everyone in your department asking them to go to Loyola Software -> Useful Tools -> Spider Scanner– This will install and run the scanning software– The process can take an hour or two, but the user

can continue using their machine while it works– Program will automatically close when done

How Do I…?

Install the encryption software?1. Close all open programs

2. Go to Loyola Software -> Useful Tools -> SafeGuard Easy Install

3. Machine reboots several times

4. Login, wait for machine to reboot twice more

5. Close encryption image and login

6. Verify red icon on hard drive, logout or lock machine but LEAVE IT POWERED ON!

You can use your computer while it encrypts, but it will run more slowly until the process completes

How Do I…?

Fill out the paperwork?• Two different forms to complete

– While reviewing the spider log with the user, fill out the PII Tracking.xls spreadsheet

– Once all computers have been scanned and their logs reviewed, fill out the Data Security Compliance Review form available at http://luc.edu/its/pdfs/gov_PIIP/Personal%20Information%20Protection%20Compliance%20Review.pdf (the last page)

How Do I…?

Get other questions answered?

• Call / Email / Stop ByJoe Bazeley

jbazele@luc.edu

DataSecurity@luc.edu

773-508-6086 / 86086

Granada Center room 235

Data Steward Training

Tools and Resources

• ITS Contact– Joe Bazeley– jbazele@luc.edu– 773-508-6086 / 86086

• Policies • Presentation – add links• Reporting breaches

– Anonymous reporting page at http://www.luc.edu/its/security/data_security_form_anonymous.shtml

– Email datasecurity@luc.edu

Summary

As a Data Steward you play an important role in ensuring that your department is in and

remains in compliance with Loyola’s policies for protecting PII and other sensitive

information

Summary

Responsibilities• Be a resource to your department by providing

information about these policies and their impact– Sample presentation available at

http://www.luc.edu/its/pdfs/dspresentation.ppt • Conduct scans of department media every 6 months

– Check output of LPro/LSen data detection tool on each individual’s computer

– Provide summary info on LPro/LSen data to ITS and your department

– Fill out department’s compliance form for ITS

Summary

• Badge/key access restrictions• Printers and faxes in secure areas• Use approved shredders• Secure desk when not around• Encryption of computers• Cannot store LPro or LSen data on unencrypted

computers• Store files on network drives for

remote access

Data Steward Training

Questions?

Data Steward Training

Thank youfor

Your participation

Full Disk Encryption Install Demo

Short version of install process:

1. Close open documents

2. Launch program

3. Wait several minutes, login

4. Wait several minutes, close picture then login again

5. Log out or lock computer, but leave it powered on