WelcomePersonally Identifiable Information (PII) Protection Training for Data Stewards
Goal The purpose for today’s training program is to introduce you to a collection of policies designed to protect Personally Identifiable Information (PII) and to your role and responsibilities as a Data Steward. Data Steward Training
Learning Objectives: As a result of participating in today’s program you will: Learn about Loyola’s Personally Identifiable Information (PII) Protection program Gain a better understanding of your role and responsibilities as a Data Steward Acquire a list of tools and resources that can support you in your role as a Data Steward Data Steward Training
Agenda The Challenge of Protecting PII Loyola’s Process for Protecting PII Your Role in Protecting Loyola’s PII Tools and Resources Data Steward Training
Guidelines Program length: 60 minutes Ask questions – participate Data Steward Training
Protecting Personally Identifiable Information Data Steward Training
Data Steward Training • Loyola recently approved policies covering areas: • Data Classification • Loyola Protected & Sensitive Data Identification • Physical Security of Loyola Protected & Sensitive Data • Electronic Security of Loyola Protected & Sensitive Data • Disposal of Loyola Protected & Sensitive Data • Loyola Encryption • Compliance Review • Data Breach Response
Data Steward Training • All data produced by employees of Loyola University Chicago during the course of University business will be classified as one of these three types of data: • Loyola Protected Data • Loyola Sensitive Data • Loyola Public Data (Definitions on next slide)
Definitions Loyola Protected data (LPro data) Protected by Federal, state, or local laws Includes SSNs, credit card numbers, bank account info, driver’s license numbers, personal health info, FERPA info, etc Loyola Sensitive data (LSen data) Not covered by laws, but information that Loyola would not distribute to the public Determined by the department that created the data Loyola Public data (LPub data) Information that Loyola is comfortable distributing to the general public. Data Steward Training
Role & Responsibilities for Data Stewards Data Steward Training
The primary responsibility of a data steward is to help their department identify locations of Personally Identifiable Information (PII) The data steward will also produce documentation used by ITS and your department indicating where PII is located in the department Data Steward Training
Responsibilities Identify computers that store or access Loyola Protected or Loyola Sensitive data Conduct systems scan every 6 months Use software scanning tool that flags possible LPro information Record information from the scanning software tool in a spreadsheet for ITS and your department Fill out the department’s Data Security Compliance Review form and submit to ITS Data Steward Training
Responsibilities Act as a resource for your department by providing information about the policies and their impact Conduct presentations as needed to raise awareness Sample presentation: http://www.luc.edu/its/pdfs/dspresentation.ppt Data Steward Training
Changes in how your department handles Loyola data Data Steward Training
Changes for Paper documents Limit access to department workspaces that store LPro or LSen data in paper form – your department should: Create a list of individuals with access to restricted areas; provide Campus Security with a copy of the list Require a badge or key to access those areas Allow no public access to those areas Acquire/use approved shredders to dispose of documents Limit access to printers and faxes Properly store LPro or LSen documents; avoid leaving LPro or LSen information on desks and other work areas when no one is present Data Steward Training
Changes for electronic documents Restrict access to computers and other electronic devices that store LPro or LSen data in electronic form LPro or LSen data cannot be stored on computers or electronic devices that are not encrypted ITS will provide instructions for installing the encryption software for those users that need it Data Steward Training
Preferred storage for remote access LPro or LSen data preferred storage for remote access Network drives (VPN + Remote Desktop) Laptop w/ encryption software PDA/Blackberry/Smartphone w/ encryption software Portable drive w/ encryption software CD/DVD/disk as an encrypted file Data Steward Training
Disposal of LPro or LSen data Paper – Shred either through shredding service or approved personal shredder (Purchasing has list of approved shredders) Electronic – Contact ITS for proper disposal If taken outside of Loyola, either dispose of as above or bring paper / device back to Loyola for proper disposal Data Steward Training
Encryption of data Electronic data transfers must be secured If you need to send sensitive data via email, please contact ITS for information on sending encrypted emails LPro or LSen data on physical media (CD, portable drive, etc) must be encrypted ITS will assist in configuration and training for department-specific issues on an as-needed basis Data Steward Training
Report possible breaches / exposures Call 86086 / 773-508-6086 Email email@example.com Go to anonymous reporting page at http://www.luc.edu/its/security/data_security_form_anonymous.shtml Data Steward Training
Split into 4 phases ITS pilot Sullivan Center pilot High-risk areas (HR, Finance, etc) Rest of the university Main communication effort will occur before the 4th phase – university-wide deployment University Deployment Plan
Town hall meetings Inside Loyola Weekly Separate email blast to all staff Communications specifically targeting faculty Communication Strategy
Give a presentation to my department about this? Perform the scanning portion? Install the encryption software? Fill out the paperwork? Get other questions answered? How Do I …?
Give a presentation to the rest of my department? Recommended so they will have a better understanding of how they can help protect PII and other sensitive data Complete presentation available at http://www.luc.edu/its/pdfs/dspresentation.ppt Please send any questions you cannot answer to ITS (DataSecurity@luc.edu or x86086) How Do I…?
Perform the scanning portion? Send an email to everyone in your department asking them to go to Loyola Software -> Useful Tools -> Spider Scanner This will install and run the scanning software The process can take an hour or two, but the user can continue using their machine while it works Program will automatically close when done How Do I…?
Install the encryption software? Close all open programs Go to Loyola Software -> Useful Tools -> SafeGuard Easy Install Machine reboots several times Login, wait for machine to reboot twice more Close encryption image and login Verify red icon on hard drive, logout or lock machine but LEAVE IT POWERED ON! You can use your computer while it encrypts, but it will run more slowly until the process completes How Do I…?
Fill out the paperwork? Two different forms to complete While reviewing the spider log with the user, fill out the PII Tracking.xls spreadsheet Once all computers have been scanned and their logs reviewed, fill out the Data Security Compliance Review form available at http://luc.edu/its/pdfs/gov_PIIP/Personal%20Information%20Protection%20Compliance%20Review.pdf (the last page) How Do I…?
Get other questions answered? Call / Email / Stop By Joe Bazeley firstname.lastname@example.org DataSecurity@luc.edu 773-508-6086 / 86086 Granada Center room 235 How Do I…?
Tools and Resources ITS Contact Joe Bazeley email@example.com 773-508-6086 / 86086 Policies Presentation – add links Reporting breaches Anonymous reporting page at http://www.luc.edu/its/security/data_security_form_anonymous.shtml Email firstname.lastname@example.org Data Steward Training
As a Data Steward you play an important role in ensuring that your department is in and remains in compliance with Loyola’s policies for protecting PII and other sensitive information Summary
Responsibilities Be a resource to your department by providing information about these policies and their impact Sample presentation available at http://www.luc.edu/its/pdfs/dspresentation.ppt Conduct scans of department media every 6 months Check output of LPro/LSen data detection tool on each individual’s computer Provide summary info on LPro/LSen data to ITS and your department Fill out department’s compliance form for ITS Summary
Badge/key access restrictions Printers and faxes in secure areas Use approved shredders Secure desk when not around Encryption of computers Cannot store LPro or LSen data on unencrypted computers Store files on network drives for remote access Summary
Questions? Data Steward Training
Thank you for Your participation Data Steward Training
Short version of install process: Close open documents Launch program Wait several minutes, login Wait several minutes, close picture then login again Log out or lock computer, but leave it powered on Full Disk Encryption Install Demo