Developing an Enterprise-Wide Privacy and Data Security Training Program

1. Ross T. Janssen, J.D., CIPP Privacy & Security Officer University of Minnesota John T. Jensen, CHPS, CIPP Assistant Director Privacy & Security Office University of Minnesota Developing an Enterprise-Wide Privacy and Data Security Training Program

2. Outline • Drivers • Organizational Complexity • Key Project Components • Costs and Timelines • Lessons Learned • Questions

3. Drivers • Incidents • Notification law • New IT security laws • Leverage resources • Lots of regulation

4. Complexity of Higher Education • Multi-part missions • Culture of Openness • Decentralized Organization • Need for Privacy and Security • Diverse stakeholders • Regulations • Community Expectations

5. Developing a Balanced Approach: Key Assumptions • University faculty, staff, and students create, use, access, store, and share private data. • Must understand human dimensions as well as acknowledge the need to address not only what is required (law) but also what is expected (from the community).

6. Key Project Components • Analysis & Planning • Curriculum & Instructional Design • Content Development • Training Delivery & Tracking • Awareness & Communications • Evaluation & Measurements • Reporting

7. Analysis & Planning • Process • Key Findings • Content • Technology and delivery • Patterns of use • challenges • Recommendations

8. Analysis & Planning • Mandatory or voluntary • Role based? • Scope • measurements • Opportunities

9. Purpose • Educate users about institutional expectations. • Educate users about good IT practices. • Enhance productivity through standard practices.

10. Course Curriculum

11. Content Development • Principal v. topical • Identify subject matter experts • Policy translation • Course objectives • Identify resources • Lots and lots and lots of time!

15. Training Delivery & Tracking • Privacy Coordinator/Liaison Structure • Leveraging Existing Infrastructure • Human Resources System (PeopleSoft) • University portal (www.myu.umn.edu) • Database (Oracle) • eLearning System (WebCT – Blackboard) • Email • Tracking & Delivery Enhancements • Tiered assignments for timed delivery • Reports

16. Communications & Awareness • Challenges • Decentralized communication infrastructures • Multiple web identities • Communicating to Faculty • Communicating to research personnel • “I work with rats, not data”

17. Communications & Awareness –A Multi-Tiered Approach • Packaged Communications (Mailings, Posters, Logos, Banners, etc) • Strategic Communications (Memorandums, electronic notices of course assignments, in-person meetings, Scripts for supervisors and coordinators)

18. Communications & Awareness - Packaged

19. Measurements : Evaluation & Reporting Assessing Confidence Levels: Before and After Training 1. I am confident that I can secure my work environment and the private data I may use in my job. 2. I am confident that I can identify resources for securing my computer workstation. 3. I am confident that I can create and use strong passwords. 4. I am confident that I can recognize actions that increase security risk. 5. I am confident that I can use best practices to reduce the risks associated with using and sharing University private data. 6. I am confident that I can identify security issues and take appropriate action to address them. 7. I am confident that I can identify what University data are private and what University data are public.

20. Costs and Timelines

21. Contact Information Privacy & Security Office University of Minnesota privacy@umn.edu Ross T. Janssen, JD, CIPP 612.626.5844 janss006@umn.edu John T. Jensen, CHPS, CIPP 612.626.3885 jense100@umn.edu