developing an enterprise-wide privacy and data security training program ross t. janssen, j.d., cipp...
TRANSCRIPT
![Page 1: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/1.jpg)
Developing an Enterprise-Wide Privacy and Data Security Training Program
Ross T. Janssen, J.D., CIPPPrivacy & Security OfficerUniversity of Minnesota
John T. Jensen, CHPS, CIPPAssistant Director
Privacy & Security OfficeUniversity of Minnesota
![Page 2: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/2.jpg)
Outline
• Drivers
• Organizational Complexity
• Key Project Components
• Costs and Timelines
• Lessons Learned
• Questions
![Page 3: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/3.jpg)
Drivers
• Incidents
• Notification law
• New IT security laws
• Leverage resources
• Lots of regulation
![Page 4: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/4.jpg)
Complexity of Higher Education
– Multi-part missions– Culture of Openness– Decentralized Organization– Need for Privacy and Security– Diverse stakeholders– Regulations– Community Expectations
![Page 5: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/5.jpg)
Developing a Balanced Approach: Key Assumptions
• University faculty, staff, and students create, use, access, store, and share private data.
• Must understand human dimensions as well as acknowledge the need to address not only what is required (law) but also what is expected (from the community).
![Page 6: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/6.jpg)
Key Project Components
• Analysis & Planning
• Curriculum & Instructional Design
• Content Development
• Training Delivery & Tracking
• Awareness & Communications
• Evaluation & Measurements
• Reporting
![Page 7: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/7.jpg)
Analysis & Planning
• Process
• Key Findings– Content– Technology and delivery– Patterns of use– challenges
• Recommendations
![Page 8: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/8.jpg)
Analysis & Planning
• Mandatory or voluntary
• Role based?
• Scope
• measurements
• Opportunities
![Page 9: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/9.jpg)
Purpose
• Educate users about institutional expectations.
• Educate users about good IT practices.
• Enhance productivity through standard practices.
![Page 10: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/10.jpg)
Course Curriculum
Data Security in Your Job
Securing Your Computer Workstation
Using University Data
Self Assessment
Personnel Data Student Data
Health Data Financial Data
Faculty, Managers, & Supervisors
![Page 11: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/11.jpg)
Content Development
• Principal v. topical
• Identify subject matter experts
• Policy translation
• Course objectives
• Identify resources
• Lots and lots and lots of time!
![Page 12: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/12.jpg)
![Page 13: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/13.jpg)
![Page 14: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/14.jpg)
![Page 15: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/15.jpg)
Training Delivery & Tracking• Privacy Coordinator/Liaison Structure
• Leveraging Existing Infrastructure– Human Resources System (PeopleSoft)– University portal (www.myu.umn.edu)– Database (Oracle)– eLearning System (WebCT – Blackboard)– Email
• Tracking & Delivery Enhancements– Tiered assignments for timed delivery– Reports
![Page 16: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/16.jpg)
Communications & Awareness
• Challenges– Decentralized communication infrastructures– Multiple web identities– Communicating to Faculty– Communicating to research personnel
• “I work with rats, not data”
![Page 17: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/17.jpg)
Communications & Awareness –A Multi-Tiered Approach
– Packaged Communications (Mailings, Posters, Logos, Banners, etc)
– Strategic Communications (Memorandums, electronic notices of course assignments, in-person meetings, Scripts for supervisors and coordinators)
![Page 18: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/18.jpg)
Communications & Awareness - Packaged
![Page 19: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/19.jpg)
Measurements : Evaluation & Reporting
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
1 2 3 4 5 6 7
Question
Pre
cen
tag
e Strongly Disagree
Disagree
Agree
Strongly Agree
1. I am confident that I can secure my work environment and the private data I may use in my job.2. I am confident that I can identify resources for securing my computer workstation.3. I am confident that I can create and use strong passwords.4. I am confident that I can recognize actions that increase security risk.5. I am confident that I can use best practices to reduce the risks associated with using and sharing
University private data.6. I am confident that I can identify security issues and take appropriate action to address them.7. I am confident that I can identify what University data are private and what University data are public.
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
1 2 3 4 5 6 7
Question
Pre
cen
tag
e
Strongly Disagree
Disagree
Agree
Strongly Agree
Assessing Confidence Levels: Before and After Training
![Page 20: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/20.jpg)
Costs and TimelinesComponent Time Costs
Analysis & Planning(front-end analysis)
80 hours(.5 months)
$15,000 consultants only
Curriculum & Instructional DesignContent Development
1,500 hours(9+ months)
$110,000 consultants only
Training Delivery & TrackingReporting
1,700 hours(10+ months)
$170,000 business analyst and programmers
Awareness & Communications 500 hours(3+ months)
$35,000 designers, consultants, materials
Evaluation 80 hours (.5 months)
$7,000
Total 23 months* $337,000*
![Page 21: Developing an Enterprise-Wide Privacy and Data Security Training Program Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota](https://reader035.vdocuments.us/reader035/viewer/2022070401/56649f1f5503460f94c36d46/html5/thumbnails/21.jpg)
Contact Information
Privacy & Security OfficeUniversity of Minnesota [email protected]
Ross T. Janssen, JD, [email protected]
John T. Jensen, CHPS, [email protected]