It s 10pm Do You Know Where Your Institution's PII Is? Reducing Risk by Understanding the How, Where, and Why of your PII Chris Oswald, Assistant Director, IT Audit Jerome Park, Director, IT Audit Princeton University Office of Audit and Compliance Who are we? Jerome Park, Director, IT Audit Christopher Oswald, Assistant Director, IT Audit 1
Our Goals For Today: We hope everyone will leave here today with: Insight into the value of understanding how PII is used, collected, stored and transmitted at your institution A project framework for conducting your own PII risk assessment An understanding of how to build tools that provide ongoing insight into risk related to PII We are happy to share everything we talk about during this session We only have one ask: if you enhance the methodology or any supporting material please share it with us so we can incorporate the enhancements into our upcoming projects Our Time Together Is short only 50 minutes! Break our time down into three areas: History and Context The Project Outcomes, Lessons Learned and Next Steps Look for the throughout the deck these are key take away items 2
History and Context How did we get here? VP of Human Resources: Wants a better understanding of the lifecycle of PII in the Office of Human Resources (OHR) OHR was completing a project to remove all unneeded PII from reports in the Information Warehouse; wanted to do more This is a focus area for the entire institution and is linked directly with a significant revision to the University s Information Security Policy The Office of Audit and Compliance (OAC) and OHR agreed to partner 3
First, a bit of history (and context) Princeton has been continuously working to secure and manage PII. Significant revision to our Information Security Policy in 2015. Moved the policy to a focus on information protection and classification, and away from Operations This was a big deal the new policy came with clear definitions and obligations for administrators that included required controls for certain data elements! History and Context - Continued Policy outlines four classification categories: Restricted Confidential Unrestricted within Princeton University Public Restricted Classification is the only category that defines elements of data; all other data is to be classified by management SSN Bank Account Numbers State Identity Cards Driver s License PHI (elements as defined by HIPAA) Credit Card Numbers 4
History and Context - Continued Control requirements based on data classification are compiled in a reference website: ProtectOurInfo.Princeton.edu Website and guidance is maintained by the Information Security Office (ISO) The Project 5
The Project We have some defined requirements Information Security Policy We know what we need to do Better understanding of the lifecycle of PII in Human Resources How do we do it? The Project I ve got this I m an IT person after all! Step 1: Run Scanner Step 2: Find Data Step 3: Apply controls Step 4: Celebrate 6
The Project Not So Fast! The Project In 1966 Maslow coined the concept known as The Law of the Instrument * Basically a cognitive bias that always leads you to use the same tool regardless of the problem If the only tool I have is a hammer, then everything is a nail This was a critical moment for our project: is this actually an IT problem that can be solved with IT tools like scanners? or are we dealing with a business problem with significant IT dependency? *There is dispute to the attribution of this concept 7
The Project This realization raised a number of questions! How do we get the data in the first place? What do we do with the data after we use it? Where do we store the data? Why do we need the data? Should we be storing the data? Do we need to share the data? How do we share the data? The Project Root Cause Analysis Data has a life of its own We still need data, yes, even restricted data Finding it only addresses a small part of the life cycle Location today is no guarantee about where it will be tomorrow Develop a deeper understanding of the data life cycle to enable management to apply controls without impacting service levels Specifically we wanted to understand the risk associated with: Collect (How does the data get into our organization?) Use (Why are we collecting it?) Store (Where do we keep the data and for how long?) Transmit (Are we sending it on?) 8
The Project In a Nutshell Phase 1 Planning, Education, and Data Gathering Information session with department leadership team on the Information Security Policy and restricted data elements Develop customized survey to identify where restricted data elements are collected, used, stored and transmitted, as well as if department members have restricted data they do not need Joint presentation at department all staff meeting to introduce the project, share details about the survey and answer questions Survey department members; analyze survey results and identify were restricted data is collected, used, stored and transmitted Phase 2 Documentation, Analysis, and Reduction Opportunities Share survey results, analysis and a list of recommended process mapping interviews with department leadership Conduct interviews Document processes and identify potential opportunities to reduce the use of restricted data elements; validate potential reduction opportunities with process owners Prepare deliverables, present results to department leadership, and share insights at department all staff meeting Outcomes Business process recommendations focused on risk reduction related to the collection, use, storage and/or transmission of restricted data Collection of business processes flow diagrams or narratives showing how restricted data is collected, used, stored and transmitted in the department Increased departmental awareness of risk associated with restricted data Collection of potential future initiatives that leverage the results of the risk assessment The Project Build Your Team Take the time you need to be strategic Align the team s composition with the culture of the department and institution Tone at the top is critical Our team was led by our Executive Director of Human Resources Information Systems We made this decision jointly with OHR Team leader was the public face of the project; all communication and presentations came from the team lead 9
The Project Phase 1 Primarily focused on defining scope this phase is all about education for the department and understanding the risk environment. Planning Survey Development Kick- Off Analysis of Results & Planning Planning - Meeting with Senior Department Leadership Opportunity to invest leadership in the project Education on the Information Security Policy and articulation of our proposed process Management Requests This is an area where the project team needs to be very strategic; there are a limitless number of data elements that Management may want to identify and understand the lifecycle around Are these elements truly restricted Will management apply the required controls for these items? Effort and impact estimates Critical because the project includes everyone in a department Our estimate was 1.5 2 hours per person over the life of the entire project 10
Survey Development Invest the time to align your survey with your institution s culture the survey is a critical input to the project! Princeton has established norms for campus survey activities Common tool Terms are clear up front explain how the responses are used and that the responses are confidential, but NOT anonymous Never have a required question unless you give an option to not respond Balance project team s need to gather data against busy schedules Don t ask too many questions Set reasonable expectations for response deadlines; reminders emailed at established intervals Survey Questions and Mechanics Our Survey has 7 questions One question for each of the six data elements and a bonus question Set expectations: Work with all elements: <30 minutes Work with no elements: <5 minutes If you don t know it s OK we will work one on one Bonus Question: Do you have any Restricted Data you do not need to do your job? If yes, we ask the person to describe the situation 11
Kick Off Introducing ourselves and the project Joint presentation led by client partner at an all staff meeting Introduced the project, explained the consulting partnership, why we were doing this and what our goals were Answered questions and set clear expectations on the survey Senior department leadership attended the meeting and spoke to the importance of the project Analysis of Results & Planning Preparation and forethought yielded great dividends on the survey Asked for responses within two weeks of receipt Provided direct reminders as well as within regularly scheduled weekly departmental communications 90% RESPONSE RATE! 12
Analysis of Results & Planning Survey allowed us to identify the population of people who work with Restricted Data Over 50% of the organization actively working with this data in many different processes Follow up with population of people who answered not sure Primarily people new to their roles Analysis undertaken to identify distinct business processes from the survey results inform our Phase 2 approach Review no responses with a critical eye, compare to people in similar roles, pay special attention to people who respond no to everything; leverage your team for this they have a sense for the department The Project Phase 2 Put the survey data to work to inform and guide the rest of the project! Reporting Phase 1 Results Group Interviews Risk & Opportunity Assessment Reporting & Deliverables 13
Reporting Phase 1 Results Share the survey data with the department leadership team Restricted Data Element Use People identifying access to data they do not need Feedback from the comment field Recommend a strategy for next steps Interview approach and methodology Re-confirm the anticipated time commitments 1 hour for interview,.5 hours to validate risk reduction opportunities (if any are identified) Obtain buy-in from department leadership team for your proposed phase 2 approach; ask them to communicate with their reports Group Interviews Input from department partners on how to structure this part of the project was a critical success factor Groups of people that identified performing similar functions and in similar roles Flexibility here is key our interview strategy changed during the course of the project Structured the interviews with a series of leading topics to help people start talking; used the survey data as a starting place Significant awareness value in these group sessions from not only an Information Security perspective, but just how people in the same functions do things differently 14
Group Interviews Each process documented in a narrative format Important to have project team members from client department and OAC Identified potential risk reduction opportunities associated with each business process in each narrative The interviews were key in this project! Identified many additional business processes beyond the survey results Risk & Opportunity Assessment In 2015/16, OAC and OIT partnered to perform a University-wide IT Risk Assessment Impact and likelihood rating scales that leverage NIST 800-53 were developed using a five point scale Originally our intention was to leverage the impact and likelihood scales and score the risk associated with the business process This approach presented some challenges as we moved through the process 15
Risk & Opportunity Assessment Key purpose of risk assessment is to assist management with the prioritization of risk reduction efforts Management can focus efforts to enhance or add controls to reduce likelihood of risk realization. Risk & Opportunity Assessment When the project team started to rate our risks, we started noticing a trend Anyone else see the challenge? Management cannot use this to prioritize their efforts The project team had to develop another approach 16
Risk & Opportunity Assessment Developed a mitigation impact scale to assist management with prioritization of their efforts Unique in that some of our risk reduction opportunities eliminated the use of restricted data Mitigation scale recognizes that some of the business processes have inputs or other aspects that are outside management s control Project team jointly applied the ratings Reporting & Deliverables The Tangible Stuff Area specific risk reduction opportunities were shared individually with Unit leaders Project close out with department leadership team co-presented with HR partners Consulting Memo that included department wide themes and recommendations Detailed Description of the methodology to support re-performance Departmental Risk Reduction Opportunity Reports An Information Warehouse based reporting tool that enables management to query the results of our engagement in different ways The Less Tangible Stuff Significant insight into the life cycle of Restricted Data within the department Significant increase in the awareness of risk associated with Restricted Data A collection of potential future initiatives that can leverage the tangible results of the assessment 17
Reporting & Deliverables A Closer Look Risk Reduction Opportunity Reports Created for organization wide themes and specific department risk reduction opportunities Color coded risk reduction impact rating Organization wide or business process From the Consulting Memo and Business Process Narratives for easy reference Easy reference to the type of data the recommendations action # Impact Organization Wide Theme (Identified through survey and interviews) Risk Reduction Opportunity (Details related to how risks associated with the collection, use, storage and/or transmission of restricted data elements can be reduced at an organizational level) Data Type H: Hard Copy E: Electronic 1 Theme 1 1) Recommendation - Redacted H/E 2 Theme 2 1) Recommendation - Redacted E 3 Theme 3 1) Recommendation - Redacted H/E Reporting & Deliverables A Closer Look Restricted Data Tracking Tool Project team partnered with the OIT s Center for Data Analytics and Reporting to create a tool that would enable Management to easily identify what business processes use certain types of data elements 18
Outcomes, Lessons Learned and Next Steps Closing Thoughts Outcomes Actionable opportunities for risk reduction, raised awareness, developed tools, and provided insight! Department Wide Examples: Technical training on the use of tools to transmit data Access reviews, physical and electronic Management of non-university owned computers and devices Data not needed Unit Specific Examples: Discontinuing the use of restricted data in processes where possible Consistency of process Leveraging the system of record Potential follow on initiatives all informed by the project: Secure storage initiatives Automated scanning for restricted data 19
Closing Thoughts Lessons Learned It is important to talk to everyone Align your interview approach with your institution s culture Calibrate your approach relative to the size of the department Assemble the right project team; insight into how the client department works is key A project like this is a tremendous opportunity not only to raise awareness, and add value, but to promote the value of Internal Audit Where do we go from here? OAC planning to perform two additional assessments as part of the 2018 Audit and Consulting Plan Year More requests than we can accommodate in our 2018 plan year Long term goal is to make Phase 1 of the assessment a self-service tool for departments Happy to share the entire methodology and supporting work product; request that you share enhancements and ideas! 20
Thank you we appreciate you! Christopher Oswald Assistant Director, IT Audit coswald@princeton.edu Jerome Park Director, IT Audit jeromep@princeton.edu Questions? 21