It’s Past Midnight

Do you know

where your data are?

EDUCAUSE MIDWEST 2008Mary Pickering, Program Director, University Information Services, Georgetown University

Copyright Mary Pickering, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

What they really fight about inside the Beltway …

Data are!

Data is!

Defining the scope of the problem

A brief surveyData breaches

Regulatory implications Damage

Formal review & approval processes Information technology

Contracts at Georgetown

1789-2005Decentralized, self-regulated, ‘generous’

2005-2006Formal centralized reviewProcess for additional reviewStandard Terms & ConditionsFiscal motivation primary Slow rate of acceptance

A new paradigm

Regulatory responses to a brave new electronic world

40 states & District of Columbia have data breach notification laws2003 CaliforniaRange of actions Implications for universities and colleges

The nature of data breaches

Cause #1 - Us

Human error

Poor security practices

Failure to consider the wider picture

Cause # 2 - Them

‘Joyriders’

Criminal activity

Exponential growth

How do we react to this new reality?

IT professionals on the front lines

Protecting against external threats Implement firewallsMonitor systems

Protecting against systemic internal risksEliminate ‘protected’ dataEnforce secure passwordsProvision encrypted laptops

But what about the risks that technology can’t protect against?

Risk #1 – Alpha projects

Banner –

a multi-year

complete overhaul of a core system project?

protected data integrations scale

Risk #2 – Taming the beast

How about

the new

e-mail system?

high profile campus-wide outsourced

Controlling risk in large scale projects

Layers of approvalDedicated project managersMultiple expert resourcesOversight committeesExtensive change control proceduresSeparation of dutiesChecks and balances

Risk #3 – Stealth projects

Professor Pookie

protected datano oversightmixed

technical bag

Imperfect storm at Georgetown

Human factorsTechnically sophisticated faculty member

Technical factorsSelf-managed servers

Environmental factorsLack of institutional oversightLegacy contract since mid ’80s

Counting the costs

The breach41,000 clients of the Office of AgingNo criminal activity using data

The impact$300,000+ (data analysis, notification,

materials, legal counsel)200+ staff hoursLoss of productivityDamaged relationships & reputation

Immediate institutional response

May 2006All contracts involving technology must be

reviewed by central IT (University Information Services)

Executive VP, General Counsel & CIO mandateEffective immediately

Yikes!

What is this contract for? Vast breadth of quality & detail Lack of understanding Jumping the gun

Who are you? Widespread confusion Even wider spread displeasure

What do we do now? Definition of ‘involving technology’ Internal process, ownership & tracking Review criteria

The flood of 2007

Web (45%)

Non-web (55%)

IT (10%)Contracts (1,200)

Coping

1. Start with what we can control

2. Tackle what’s out of our control

3. (Re-)enforcement

1. Start with what we can control

Internal process1. Log the contract

2. Assign ownership

3. Initial reviewa. Additional review

4. Record results

IT contract review process

Does the contract

involve information technology?

Contract submittedto Purchasing & Contracts

Contract assigned to contract review coordinator

Contract Review Memorandum created

Initial review conducted

Contract Review Memorandum finalized

Does the contract

require specialist review?

If YESSend to UIS

If YESIf NO

Approve or reject Requirements for

approval & recommendationssent to P&C and client

Specialist assigned; review conducted

Refinement

Internal processAddress bottlenecksBoilerplate language

Set expectations Initial communicationReview interviewVendor contact

Develop standardized contract review criteria

Contract Review Memorandum

Serves as official recordContract details as submittedContact with departments & vendorsRequirements for executionRecommendations for project improvements

Easy comparison of contracts with similar or same vendors

Easy reference

Standardized contract review criteria

What data are gathered/stored/transmitted? Where is the system or data hosted? What authentication & authorization are

involved? What access does the vendor have to

protected data? Does the system interact with other systems? Are there any regulatory implications? What policies are applicable? Is ongoing support included in the contract?

Coping

1. Start with what we can control

2. Tackle what’s out of our control

3. (Re-)enforcement

2. Tackle what’s out of our control

Education Develop background materials Dog and pony shows Set expectations ’Deputize’ IT partners

Intervention Act as consultants for departments Act as intermediary with vendors

Remove barriers Set minimum standards Provide standardized confidentiality addendum Provide template for Statements of Work

Statement of Work template

Project details & description Nature of contracted services

Discovery/design Licensed product Application development Implementation

Scope Responsibilities Assumptions Deliverables Hosting, vendor access, support

Coping

1. Start with what we can control

2. Tackle what’s out of our control

3. (Re-)enforcement

3. (Re-)enforcement

Push work back on departmentsNo UIS approval

No executed contract No payment of vendor No release of work product

Results

Significant reduction of review time Practice makes perfect Focusing on the priorities Less time chasing details

Informed clients Pre-reviews

Better contracts; saved money Better grasp of scope of technology initiatives

across campus Insight into typically independent sectors

Why institute a formal contract review process?

Leverage existing contracts Increased security overall; protects vendors

and clients alike Speed to contract execution; prompt payment

for vendors Formal record of findings & approval

requirements & recommendations An ounce of prevention is worth a pound of

cure

Questions?

Examples: Contract Review Memorandum Template Statement of Work

For more information, feel free to contact:Mary Pickering – mjp2@georgetown.edu