Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | dina-butler |
View: | 216 times |
Download: | 0 times |
It’s Past Midnight
Do you know
where your data are?
EDUCAUSE MIDWEST 2008Mary Pickering, Program Director, University Information Services, Georgetown University
Copyright Mary Pickering, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
What they really fight about inside the Beltway …
Data are!
Data is!
Defining the scope of the problem
A brief surveyData breaches
Regulatory implications Damage
Formal review & approval processes Information technology
Contracts at Georgetown
1789-2005Decentralized, self-regulated, ‘generous’
2005-2006Formal centralized reviewProcess for additional reviewStandard Terms & ConditionsFiscal motivation primary Slow rate of acceptance
A new paradigm
Regulatory responses to a brave new electronic world
40 states & District of Columbia have data breach notification laws2003 CaliforniaRange of actions Implications for universities and colleges
The nature of data breaches
Cause #1 - Us
Human error
Poor security practices
Failure to consider the wider picture
Cause # 2 - Them
‘Joyriders’
Criminal activity
Exponential growth
How do we react to this new reality?
IT professionals on the front lines
Protecting against external threats Implement firewallsMonitor systems
Protecting against systemic internal risksEliminate ‘protected’ dataEnforce secure passwordsProvision encrypted laptops
But what about the risks that technology can’t protect against?
Risk #1 – Alpha projects
Banner –
a multi-year
complete overhaul of a core system project?
protected data integrations scale
Risk #2 – Taming the beast
How about
the new
e-mail system?
high profile campus-wide outsourced
Controlling risk in large scale projects
Layers of approvalDedicated project managersMultiple expert resourcesOversight committeesExtensive change control proceduresSeparation of dutiesChecks and balances
Risk #3 – Stealth projects
Professor Pookie
protected datano oversightmixed
technical bag
Imperfect storm at Georgetown
Human factorsTechnically sophisticated faculty member
Technical factorsSelf-managed servers
Environmental factorsLack of institutional oversightLegacy contract since mid ’80s
Counting the costs
The breach41,000 clients of the Office of AgingNo criminal activity using data
The impact$300,000+ (data analysis, notification,
materials, legal counsel)200+ staff hoursLoss of productivityDamaged relationships & reputation
Immediate institutional response
May 2006All contracts involving technology must be
reviewed by central IT (University Information Services)
Executive VP, General Counsel & CIO mandateEffective immediately
Yikes!
What is this contract for? Vast breadth of quality & detail Lack of understanding Jumping the gun
Who are you? Widespread confusion Even wider spread displeasure
What do we do now? Definition of ‘involving technology’ Internal process, ownership & tracking Review criteria
The flood of 2007
Web (45%)
Non-web (55%)
IT (10%)Contracts (1,200)
Coping
1. Start with what we can control
2. Tackle what’s out of our control
3. (Re-)enforcement
1. Start with what we can control
Internal process1. Log the contract
2. Assign ownership
3. Initial reviewa. Additional review
4. Record results
IT contract review process
Does the contract
involve information technology?
Contract submittedto Purchasing & Contracts
Contract assigned to contract review coordinator
Contract Review Memorandum created
Initial review conducted
Contract Review Memorandum finalized
Does the contract
require specialist review?
If YESSend to UIS
If YESIf NO
Approve or reject Requirements for
approval & recommendationssent to P&C and client
Specialist assigned; review conducted
Refinement
Internal processAddress bottlenecksBoilerplate language
Set expectations Initial communicationReview interviewVendor contact
Develop standardized contract review criteria
Contract Review Memorandum
Serves as official recordContract details as submittedContact with departments & vendorsRequirements for executionRecommendations for project improvements
Easy comparison of contracts with similar or same vendors
Easy reference
Standardized contract review criteria
What data are gathered/stored/transmitted? Where is the system or data hosted? What authentication & authorization are
involved? What access does the vendor have to
protected data? Does the system interact with other systems? Are there any regulatory implications? What policies are applicable? Is ongoing support included in the contract?
Coping
1. Start with what we can control
2. Tackle what’s out of our control
3. (Re-)enforcement
2. Tackle what’s out of our control
Education Develop background materials Dog and pony shows Set expectations ’Deputize’ IT partners
Intervention Act as consultants for departments Act as intermediary with vendors
Remove barriers Set minimum standards Provide standardized confidentiality addendum Provide template for Statements of Work
Statement of Work template
Project details & description Nature of contracted services
Discovery/design Licensed product Application development Implementation
Scope Responsibilities Assumptions Deliverables Hosting, vendor access, support
Coping
1. Start with what we can control
2. Tackle what’s out of our control
3. (Re-)enforcement
3. (Re-)enforcement
Push work back on departmentsNo UIS approval
No executed contract No payment of vendor No release of work product
Results
Significant reduction of review time Practice makes perfect Focusing on the priorities Less time chasing details
Informed clients Pre-reviews
Better contracts; saved money Better grasp of scope of technology initiatives
across campus Insight into typically independent sectors
Why institute a formal contract review process?
Leverage existing contracts Increased security overall; protects vendors
and clients alike Speed to contract execution; prompt payment
for vendors Formal record of findings & approval
requirements & recommendations An ounce of prevention is worth a pound of
cure
Questions?
Examples: Contract Review Memorandum Template Statement of Work
For more information, feel free to contact:Mary Pickering – [email protected]