Please report any problems to the Shared Tools Team at st-help@doit.wisc.edu    Broken Links? Missing Macros? WIKI Retiring Plugins
Child pages
  • IT Policy Forum 2014-08 Discussion Results
Skip to end of metadata
Go to start of metadata

Discussion questions:
 

  1. What do campus units need from central IT in order to locate and report UW-Madison SSN's?
  2. What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?
  3. In what locations in departments and offices is the presence of UW-Madison SSN's:
         reasonably likely?
         reasonably unlikely?

Report back

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • Best practices
  • Settings for using tools
  • Frequency of use beyond what's required by the policy
  • Acceptable aternative tools / methods
  • Place to store the SSN's that are left
  • Cheat sheet of current and historical forms that have SSN, and how long to keep them
  • Identity Finder and similar tools that work on all platforms
  • Clear distinction of responsibility – e.g. Cashnet process
  • Include support for Linux in set of tools – vast majority is on Linux boxes in some departments
  • KB articles and tools available over the web

What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?

  • High level support and direct communications to department Chairs
  • Look at business processes – only look at personal devices in high risk areas
  • Notification if used for UW work – must notify department of possible breach
  • Need to tell people that it applies to personal devices – needs to come from management, NOT IT staff

In what locations in departments and offices is the presence of UW-Madison SSN's: reasonably likely? reasonably unlikely?

  • SSN could be in email attachments and email system

Group Notes

Group 1

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • Tool
  • Central reporting
  • No SSN''s transmitted out of department subnet. How to address this?
  • Local Identity Finder server to verify security
  • Some departments tend to be insular
  • Encryption standard – Sophos status? Delegated admin vital

What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?

  • In KB docs for connection to BYOD's, include security concerns and their solutions
  • Clear policy to enforce non-compliance with BYOD's
  • Tool to block BYOD's not complying

In what locations in departments and offices is the presence of UW-Madison SSN's: reasonably likely? reasonably unlikely?

  • Reasonable likely:
    • All office admins
    • School of Medicine
    • Social Sciences
    • Enrollment Management
    • WSOB
    • Engineering
    • Law
    • Graduate School
    • Purchasing
    • HR
    • Email
    • Academic department Chairs

Group 2

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • In my department, all data is on Linux. Need Linux tools
  • Formal mechanism for reporting
  • We need policy (on Web) to pass on to data steward
  • Docs & Tools

What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?

  • At some point responsibility has to transferred to the individual (i.e. faculty.) Guidance from CIO is essential
  • Portals to access the data people need without storing that data on the BYOD would help greatly
  • Communications with faculty and others that they are responsibility for security on the device

Group 3

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • Identity Finder or similar tool where possible that works on all platforms
  • What about flash drives – managing data
  • Sensitive data may be contained within email attachments – some systems may have to treated as containing sensitive data
  • Clear destinction where the responsibility is. DoIT vs. other IT staff.
  • Notification for any device (even personal equipment) used for U.W. business so that lost/stolen/compromised equipment gets notified (password and remote wipe, scans)
  • Possibly restrict access using static IP's/WiscVPN
  • Office 365 vs. Identity Finder
    • Why is the U.W. pushing both of these when Office 365 has not been tested for this? Business agreement?
  • Process for wiping sensitive data off old equipment

In what locations in departments and offices is the presence of UW-Madison SSN's: reasonably likely? reasonably unlikely?

  • Reasonably likely:
    • Medicare/Medicaid uses SSN's
    • Anyone doing clinical data including research may se SSN's
      • Research documents
      • Financial documents
      • Travel reports
    • Data Warehouses (places outside fo the source location where the data may have been copied/extracted.)

Group 4

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • Support, sponsorship by higher level
  • Someone to say "We're doing this."
  • More guidance on procedure
  • Address directors / chairs and disseminate there. Strike the right tone
  • Cheat sheet of current & historical forms taht have SSN's, and how long to keep them
  • Focus on high risk
  • Decent tools – tuned Identity Finder

What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?

  • ID processes with high risk first – only look at devices for people that are involved with those processes
  • Digital certs - need both ends set up. Constant process for new facilities
  • Would like to get away from transferring data via email

In what locations in departments and offices is the presence of UW-Madison SSN's: reasonably likely? reasonably unlikely?

  • Business areas – financial/HR
  • Data sets with SSN's
  • Grant providing organizations
  • Old student data

Group 5

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • Tools
    • Identity Finder
    • How to connect to central reporting
    • A place to store the detailed results
    • A place to store what SSN's are left 
  • Guidance/ Common Practices
    • On frequency to scan
    • On what triggers the need to scan again
  • What alternate methods of scan are OK?
  • What alternative methods are reporting are OK?

What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?

  • Awareness that this also helps the individual by finding their own cached info – even though that is not U.W. data.
  • Education that personal devices are now open to public records requests in addition to all UW search rules, thus encouraging reduction of the number of devices used
  • Educate on settings for devices, so users can protect their device
  • Possibly leverage O365 to know of stuff in email and thus how much we need to be concerned about this
  • Use of Terminal Servers / Remote Desktops for SSN (HR) viewing
  • Do a risk estimate for mobile devices. Maybe not large stores on modile, but more concern on home computers and personal computers?

In what locations in departments and offices is the presence of UW-Madison SSN's: reasonably likely? reasonably unlikely?

  • Each of the many HR groups
  • All financial aid groups
  • Financial services

Group 6

What do campus units need from central IT in order to locate and report UW-Madison SSN's?

  • A list of locations of where we need to scan
    • examples – e.g. databases, web sites
    • what tools are available to scan
  • The locations of what process can be used
    • For a database, export and then scan?
    • Can Identity Finder scan databases? SQL, Oracle
    • How to scan email

What are some practical strategies for both respecting the privacy rights of individuals and successfully locating and reporting the presence of UW-Madison SSN's on their personally owned devices that are used for University business?

  • Provide awareness and tools to manage univeristy data on personal devices
  • Educate users on potential issues
    • tools
    • have product to install on devices that allocates area on device for UW data
    • remote wipe / management tool

In what locations in departments and offices is the presence of UW-Madison SSN's: reasonably likely? reasonably unlikely?

  • Databases
  • File shares
  • Clients – workstations
  • Email

 

  • No labels