It s 10pm Do You Know Where Your Institution's PII Is? Reducing Risk by Understanding the How, Where, and Why of your PII

Similar documents
The specific deliverables of the RFP were to produce:

Statement of Work. Human Resources (HR) Health Check Engagement HR Function Process Assessment & Talent Management Process Assessment

Equipping You For Success

STRATEGIC PLANNING PREP SERVICE GRANT DETAILS

A Manager s Checklist for Employee Check-Ins

HOW YOUR CAREER BACKGROUND CAN HELP YOU BECOME A BUSINESS ANALYST

Quality Group A Continuous Change Catalyst and Change Manager

Delivering Real Value Through Strategic Sourcing

Putting our behaviours into practice

Leadership Agility Profile: 360 Assessment. Prepared for J. SAMPLE DATE

Take-aways from EY s series of Internal Audit Analytics roundtables over 2016

More than Mobile Forms Halliburton s Implementation of an End to End Solution

Maximizing The Value Of Your Smart Grid Investment

Banco de Crédito del Perú Redefines Culture

Request for Proposals: Diversity, Equity, and Inclusion Consulting Services

All new hires are not created equally. Dr.

APPLYING AN INCLUSIVE LENS TO PRODUCT DEVELOPMENT

I ve Got 99 Problems But Facilitating Change Ain t One

USAA's Supplier Governance Transformation that Optimizes Value and Addresses Risk

How Three Performance Management Best Practices Will Increase HCAHPS Scores White Paper

a physicians guide to security risk assessment

Let s get started with the module Essential Data Steps: A Self Assessment.

RESULTS. SAMPLE OF AN ACTUAL REPORT (PART II) Name of site left off. CERTIFIED: No Yes

Information Technology Services Project Management Office Operations Guide

HCCA Compliance Institute : Intersection of Internal Audit & Compliance. April 17, Agenda. Where are we today?

CREATING OUR BEST SELVES THROUGH STRENGTHS AND WELLBEING

Culture Trends FOR 2016

Step 2: Analyze Stakeholders/Drivers and Define the Target Business Strategy

Optimizing the value of audit quality indicators Lessons we have learned

OPTIMIZED FOR EXCELLENCE. An Incentive Compensation Management (ICM) Assessment Case Study of OpenText Corporation

The greatness gap: The state of employee disengagement. Achievers 2015 North American workforce survey results

Table of Contents. 2 Introduction: Planning an Audit? Start Here. 4 Starting From Scratch. 6 COSO s 2013 Internal Control Integrated Framework

Developing Role-Based Change Competencies In an ECM Framework

THE HR GUIDE TO IDENTIFYING HIGH-POTENTIALS

Turning Clients Into Creative Team Partners. inmotionnow

Sample Performance Review Associate with Production Goals Excelling

Data maturity model for digital advertising

How Often Should Companies Survey Employees?

EN T. How Clear is Your Talent Strategy?

Chapter Two: Assessing the Organization

ISO Your implementation guide

Session 601. Success Case Evaluation: Making the Business Case for Learning. April 29 & 30, 2010 Practical and Effective Assessments in e-learning

ISO 22000:2018 Understanding the changes to the food safety management systems standard

Safety Perception / Cultural Surveys

Leading verses Lagging HSE Reporting Tool Procedure

Chapter Management Awards 2016 PROFESSIONAL DEVELOPMENT

SETTING L&D PRIORITIES

PROJECT CHAMPION USER GUIDE

HUD-US DEPT OF HOUSING & URBAN DEVELOPMENT: Understanding Internal Controls. Ladies and gentlemen, thank you for standing by and welcome to the

Project Management for EnMS Implementation

Chapter 4 Develop Systems

Toolkit user guide. All content ACTS version 1.0

Unlocking the DNA of the Adaptable Workforce Moderator: Penny Koppinger December 9, 2008

Advice on Conducting Agile Project Kickoff. Meetings

Seven Key Success Factors for Identity Governance

First Strategic Thinking

COURSE CATALOG. vadoinc.net

PRODUCING A WORKFORCE DEVELOPMENT PROJECT PLAN

Leading Practice: Approaches to Organizational Change Management

THE CUSTOMER EXPERIENCE MANAGEMENT REPORT & RECOMMENDATIONS Customer Experience & Beyond

Revised IT Governance Charter Toolkit

PAY FOR PERFORMANCE. Retaining and Engaging Talent. CBIA Compensation and Benefits Conference. Carolyn Wong, Senior Consultant June 22, 2016

Enterprise Risk Management: Materials [date]

DEVELOP YOUR ANNUAL INNOVATION STRATEGY IDEASCALE WHITE PAPER

EXTERNAL TALENT RECRUITMENT:

11/19/2014. Welcome. Engaging Feedback Mechanisms Creating a Balanced Scorecard. Housekeeping. Agenda 8:00 9:15 9:15 11:30 11:30 12:00.

1.a Change Concept: Let the mission drive your actions.

Meet Our Presenter. Equipping You For Success: An ISO Certification Case Study

Q EARNINGS CONFERENCE CALL. November 3, Good morning everyone, and thank you for joining us today.

mobilestorm Role Scorecard Position: Technical Product Manager Hiring Manager: Ram Prayaga, VP Product and Technology

Conquering the Challenge of Change

Quality Management System Guidance. ISO 9001:2015 Clause-by-clause Interpretation

Illinois State Board of Education

Advanced Tactics for Planning & Executing an Executive Business Review

PH WINS 2017: Frequently Asked Questions UPDATED

EMBRACING TECHNOLOGY Q&A WITH MARK SINANIAN

1 P a g e MAKING IT STICK. A guide to embedding evaluation

RISK MANAGEMENT STEPS Lecture 2

Transformation confidence Helping you get closer to your transformation programme

Performance Evaluation Workshop. Human Resources December 2018

Recruitment. Process

PROCUREMENT / ON POINT

Business Assessment. Advisor Tool Galliard, Inc. All Rights Reserved

Keys to Meaningful Measurement Systems

How to Write a Winning RFP for Healthcare Website Redesign

447% ROI on Competency Training

2018 SRAI Annual Meeting October 27-31

Engaging the Business to Ensure Project Success. Cindy Stonesifer, MBA, PMP

IT Due Diligence in an Era of Mergers and Acquisitions

COMMUNICATION & COUNSEL

The Webinar will Begin Shortly..

Tips for Documenting Your Business Process

Defining Best Practices in the Life Cycle of the Volunteer

MAXIMIZING FRANCHISEE SURVEYS:

PROFIT STRATEGIES. A practical toolkit for accountancy practitioners. By John Stokdyk, Editor, AccountingWEB.co.uk SUPPORTED BY

Together, we make Ardent Mills. Build a compelling employee value proposition from the ground up.

Connecting the Dots. Roles, Responsibilities, and Relationships

The SC Corp. ISO 31000:2018 Risk Management Checklist. conducted for. Conducted on 09 Nov :33 PM. Prepared by Michael de la Torre

Webinar: Mitigating Adverse Impacts on National Forests and Grasslands

New WesternLogowTagnBevel.jpg. Making Change Fun By Tim Keran

Transcription:

It s 10pm Do You Know Where Your Institution's PII Is? Reducing Risk by Understanding the How, Where, and Why of your PII Chris Oswald, Assistant Director, IT Audit Jerome Park, Director, IT Audit Princeton University Office of Audit and Compliance Who are we? Jerome Park, Director, IT Audit Christopher Oswald, Assistant Director, IT Audit 1

Our Goals For Today: We hope everyone will leave here today with: Insight into the value of understanding how PII is used, collected, stored and transmitted at your institution A project framework for conducting your own PII risk assessment An understanding of how to build tools that provide ongoing insight into risk related to PII We are happy to share everything we talk about during this session We only have one ask: if you enhance the methodology or any supporting material please share it with us so we can incorporate the enhancements into our upcoming projects Our Time Together Is short only 50 minutes! Break our time down into three areas: History and Context The Project Outcomes, Lessons Learned and Next Steps Look for the throughout the deck these are key take away items 2

History and Context How did we get here? VP of Human Resources: Wants a better understanding of the lifecycle of PII in the Office of Human Resources (OHR) OHR was completing a project to remove all unneeded PII from reports in the Information Warehouse; wanted to do more This is a focus area for the entire institution and is linked directly with a significant revision to the University s Information Security Policy The Office of Audit and Compliance (OAC) and OHR agreed to partner 3

First, a bit of history (and context) Princeton has been continuously working to secure and manage PII. Significant revision to our Information Security Policy in 2015. Moved the policy to a focus on information protection and classification, and away from Operations This was a big deal the new policy came with clear definitions and obligations for administrators that included required controls for certain data elements! History and Context - Continued Policy outlines four classification categories: Restricted Confidential Unrestricted within Princeton University Public Restricted Classification is the only category that defines elements of data; all other data is to be classified by management SSN Bank Account Numbers State Identity Cards Driver s License PHI (elements as defined by HIPAA) Credit Card Numbers 4

History and Context - Continued Control requirements based on data classification are compiled in a reference website: ProtectOurInfo.Princeton.edu Website and guidance is maintained by the Information Security Office (ISO) The Project 5

The Project We have some defined requirements Information Security Policy We know what we need to do Better understanding of the lifecycle of PII in Human Resources How do we do it? The Project I ve got this I m an IT person after all! Step 1: Run Scanner Step 2: Find Data Step 3: Apply controls Step 4: Celebrate 6

The Project Not So Fast! The Project In 1966 Maslow coined the concept known as The Law of the Instrument * Basically a cognitive bias that always leads you to use the same tool regardless of the problem If the only tool I have is a hammer, then everything is a nail This was a critical moment for our project: is this actually an IT problem that can be solved with IT tools like scanners? or are we dealing with a business problem with significant IT dependency? *There is dispute to the attribution of this concept 7

The Project This realization raised a number of questions! How do we get the data in the first place? What do we do with the data after we use it? Where do we store the data? Why do we need the data? Should we be storing the data? Do we need to share the data? How do we share the data? The Project Root Cause Analysis Data has a life of its own We still need data, yes, even restricted data Finding it only addresses a small part of the life cycle Location today is no guarantee about where it will be tomorrow Develop a deeper understanding of the data life cycle to enable management to apply controls without impacting service levels Specifically we wanted to understand the risk associated with: Collect (How does the data get into our organization?) Use (Why are we collecting it?) Store (Where do we keep the data and for how long?) Transmit (Are we sending it on?) 8

The Project In a Nutshell Phase 1 Planning, Education, and Data Gathering Information session with department leadership team on the Information Security Policy and restricted data elements Develop customized survey to identify where restricted data elements are collected, used, stored and transmitted, as well as if department members have restricted data they do not need Joint presentation at department all staff meeting to introduce the project, share details about the survey and answer questions Survey department members; analyze survey results and identify were restricted data is collected, used, stored and transmitted Phase 2 Documentation, Analysis, and Reduction Opportunities Share survey results, analysis and a list of recommended process mapping interviews with department leadership Conduct interviews Document processes and identify potential opportunities to reduce the use of restricted data elements; validate potential reduction opportunities with process owners Prepare deliverables, present results to department leadership, and share insights at department all staff meeting Outcomes Business process recommendations focused on risk reduction related to the collection, use, storage and/or transmission of restricted data Collection of business processes flow diagrams or narratives showing how restricted data is collected, used, stored and transmitted in the department Increased departmental awareness of risk associated with restricted data Collection of potential future initiatives that leverage the results of the risk assessment The Project Build Your Team Take the time you need to be strategic Align the team s composition with the culture of the department and institution Tone at the top is critical Our team was led by our Executive Director of Human Resources Information Systems We made this decision jointly with OHR Team leader was the public face of the project; all communication and presentations came from the team lead 9

The Project Phase 1 Primarily focused on defining scope this phase is all about education for the department and understanding the risk environment. Planning Survey Development Kick- Off Analysis of Results & Planning Planning - Meeting with Senior Department Leadership Opportunity to invest leadership in the project Education on the Information Security Policy and articulation of our proposed process Management Requests This is an area where the project team needs to be very strategic; there are a limitless number of data elements that Management may want to identify and understand the lifecycle around Are these elements truly restricted Will management apply the required controls for these items? Effort and impact estimates Critical because the project includes everyone in a department Our estimate was 1.5 2 hours per person over the life of the entire project 10

Survey Development Invest the time to align your survey with your institution s culture the survey is a critical input to the project! Princeton has established norms for campus survey activities Common tool Terms are clear up front explain how the responses are used and that the responses are confidential, but NOT anonymous Never have a required question unless you give an option to not respond Balance project team s need to gather data against busy schedules Don t ask too many questions Set reasonable expectations for response deadlines; reminders emailed at established intervals Survey Questions and Mechanics Our Survey has 7 questions One question for each of the six data elements and a bonus question Set expectations: Work with all elements: <30 minutes Work with no elements: <5 minutes If you don t know it s OK we will work one on one Bonus Question: Do you have any Restricted Data you do not need to do your job? If yes, we ask the person to describe the situation 11

Kick Off Introducing ourselves and the project Joint presentation led by client partner at an all staff meeting Introduced the project, explained the consulting partnership, why we were doing this and what our goals were Answered questions and set clear expectations on the survey Senior department leadership attended the meeting and spoke to the importance of the project Analysis of Results & Planning Preparation and forethought yielded great dividends on the survey Asked for responses within two weeks of receipt Provided direct reminders as well as within regularly scheduled weekly departmental communications 90% RESPONSE RATE! 12

Analysis of Results & Planning Survey allowed us to identify the population of people who work with Restricted Data Over 50% of the organization actively working with this data in many different processes Follow up with population of people who answered not sure Primarily people new to their roles Analysis undertaken to identify distinct business processes from the survey results inform our Phase 2 approach Review no responses with a critical eye, compare to people in similar roles, pay special attention to people who respond no to everything; leverage your team for this they have a sense for the department The Project Phase 2 Put the survey data to work to inform and guide the rest of the project! Reporting Phase 1 Results Group Interviews Risk & Opportunity Assessment Reporting & Deliverables 13

Reporting Phase 1 Results Share the survey data with the department leadership team Restricted Data Element Use People identifying access to data they do not need Feedback from the comment field Recommend a strategy for next steps Interview approach and methodology Re-confirm the anticipated time commitments 1 hour for interview,.5 hours to validate risk reduction opportunities (if any are identified) Obtain buy-in from department leadership team for your proposed phase 2 approach; ask them to communicate with their reports Group Interviews Input from department partners on how to structure this part of the project was a critical success factor Groups of people that identified performing similar functions and in similar roles Flexibility here is key our interview strategy changed during the course of the project Structured the interviews with a series of leading topics to help people start talking; used the survey data as a starting place Significant awareness value in these group sessions from not only an Information Security perspective, but just how people in the same functions do things differently 14

Group Interviews Each process documented in a narrative format Important to have project team members from client department and OAC Identified potential risk reduction opportunities associated with each business process in each narrative The interviews were key in this project! Identified many additional business processes beyond the survey results Risk & Opportunity Assessment In 2015/16, OAC and OIT partnered to perform a University-wide IT Risk Assessment Impact and likelihood rating scales that leverage NIST 800-53 were developed using a five point scale Originally our intention was to leverage the impact and likelihood scales and score the risk associated with the business process This approach presented some challenges as we moved through the process 15

Risk & Opportunity Assessment Key purpose of risk assessment is to assist management with the prioritization of risk reduction efforts Management can focus efforts to enhance or add controls to reduce likelihood of risk realization. Risk & Opportunity Assessment When the project team started to rate our risks, we started noticing a trend Anyone else see the challenge? Management cannot use this to prioritize their efforts The project team had to develop another approach 16

Risk & Opportunity Assessment Developed a mitigation impact scale to assist management with prioritization of their efforts Unique in that some of our risk reduction opportunities eliminated the use of restricted data Mitigation scale recognizes that some of the business processes have inputs or other aspects that are outside management s control Project team jointly applied the ratings Reporting & Deliverables The Tangible Stuff Area specific risk reduction opportunities were shared individually with Unit leaders Project close out with department leadership team co-presented with HR partners Consulting Memo that included department wide themes and recommendations Detailed Description of the methodology to support re-performance Departmental Risk Reduction Opportunity Reports An Information Warehouse based reporting tool that enables management to query the results of our engagement in different ways The Less Tangible Stuff Significant insight into the life cycle of Restricted Data within the department Significant increase in the awareness of risk associated with Restricted Data A collection of potential future initiatives that can leverage the tangible results of the assessment 17

Reporting & Deliverables A Closer Look Risk Reduction Opportunity Reports Created for organization wide themes and specific department risk reduction opportunities Color coded risk reduction impact rating Organization wide or business process From the Consulting Memo and Business Process Narratives for easy reference Easy reference to the type of data the recommendations action # Impact Organization Wide Theme (Identified through survey and interviews) Risk Reduction Opportunity (Details related to how risks associated with the collection, use, storage and/or transmission of restricted data elements can be reduced at an organizational level) Data Type H: Hard Copy E: Electronic 1 Theme 1 1) Recommendation - Redacted H/E 2 Theme 2 1) Recommendation - Redacted E 3 Theme 3 1) Recommendation - Redacted H/E Reporting & Deliverables A Closer Look Restricted Data Tracking Tool Project team partnered with the OIT s Center for Data Analytics and Reporting to create a tool that would enable Management to easily identify what business processes use certain types of data elements 18

Outcomes, Lessons Learned and Next Steps Closing Thoughts Outcomes Actionable opportunities for risk reduction, raised awareness, developed tools, and provided insight! Department Wide Examples: Technical training on the use of tools to transmit data Access reviews, physical and electronic Management of non-university owned computers and devices Data not needed Unit Specific Examples: Discontinuing the use of restricted data in processes where possible Consistency of process Leveraging the system of record Potential follow on initiatives all informed by the project: Secure storage initiatives Automated scanning for restricted data 19

Closing Thoughts Lessons Learned It is important to talk to everyone Align your interview approach with your institution s culture Calibrate your approach relative to the size of the department Assemble the right project team; insight into how the client department works is key A project like this is a tremendous opportunity not only to raise awareness, and add value, but to promote the value of Internal Audit Where do we go from here? OAC planning to perform two additional assessments as part of the 2018 Audit and Consulting Plan Year More requests than we can accommodate in our 2018 plan year Long term goal is to make Phase 1 of the assessment a self-service tool for departments Happy to share the entire methodology and supporting work product; request that you share enhancements and ideas! 20

Thank you we appreciate you! Christopher Oswald Assistant Director, IT Audit coswald@princeton.edu Jerome Park Director, IT Audit jeromep@princeton.edu Questions? 21

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback